Id: 377188 Sample Name: Upx0V9Wce6 Cookbook: Default - Jbs Time: 09:09:49 Date: 29/03/2021 Version: 31.0.0 Emerald

ID: 377188
Sample Name: UPX0v9WcE6

Cookbook: default.jbs
Time: 09:09:49
Date: 29/03/2021
Version: 31.0.0 Emerald
Table of Contents
Table of Contents 2
Analysis Report UPX0v9WcE6 5
Overview 5
General Information 5
Detection 5
Signatures 5
Classification 5
Startup 5
Malware Configuration 5
Yara Overview 6
Sigma Overview 6
Signature Overview 6
AV Detection: 6
Compliance: 6
System Summary: 6
Data Obfuscation: 6
Hooking and other Techniques for Hiding and Protection: 6
Malware Analysis System Evasion: 6
HIPS / PFW / Operating System Protection Evasion: 7
Mitre Att&ck Matrix 7
Behavior Graph 7
Screenshots 8
Thumbnails 8
Antivirus, Machine Learning and Genetic Malware Detection 9
Initial Sample 9
Dropped Files 9
Unpacked PE Files 9
Domains 10
URLs 10
Domains and IPs 11
Contacted Domains 11
URLs from Memory and Binaries 11
Contacted IPs 13
Public 13
Private 13
General Information 14
Simulations 15
Behavior and APIs 15
Joe Sandbox View / Context 15
IPs 15
Domains 15
ASN 16
JA3 Fingerprints 16
Dropped Files 16
Created / dropped Files 16
Static File Info 18
General 18
File Icon 18
Static PE Info 18
General 18
Authenticode Signature 18
Entrypoint Preview 19
Data Directories 19
Sections 20
Resources 20
Imports 21
Version Infos 22
Copyright Joe Security LLC 2021 Page 2 of 36
Possible Origin 22
Network Behavior 22
Snort IDS Alerts 22
Network Port Distribution 23
TCP Packets 23
UDP Packets 24
DNS Queries 25
DNS Answers 25
Code Manipulations 26
Statistics 26
Behavior 26
System Behavior 26
Analysis Process: UPX0v9WcE6.exe PID: 5920 Parent PID: 5972 26
General 26
File Activities 26
File Read 26
General 27
File Activities 27
Registry Activities 27
Key Created 27
Key Value Created 27
Analysis Process: conhost.exe PID: 1908 Parent PID: 956 27
General 27
General 28
File Activities 28
File Read 28
Analysis Process: explorer.exe PID: 3440 Parent PID: 5920 28
General 28
File Activities 28
General 28
File Activities 29
File Written 29
General 29
General 29
File Activities 30
File Read 30
General 30
File Activities 30
File Read 30
General 30
File Activities 30
General 31
General 31
File Activities 31
File Read 31
General 31
File Activities 32
File Written 32
General 32
General 32
File Activities 32
Analysis Process: svchost.exe PID: 3688 Parent PID: 560 32
General 32
File Activities 33

General 33
General 33
File Activities 34
General 34
File Activities 34
File Read 34
General 34
File Activities 34
File Written 34
General 35
General 35
General 35
General 35
Disassembly 36
Code Analysis 36

Analysis Report UPX0v9WcE6
Overview
General Information Detection Signatures Classification
Sample UPX0v9WcE6 (renamed

Name: file extension from none to Detected
Detected unpacking
unpacking (changes
(changes PE
PE se
se…
se…
exe)
Detected
Detected unpacking
Detected unpacking (changes PE
unpacking (overwrites
(overwrites itsse
its oo…
o…
Analysis ID: 377188
Detected
Multi
Multi AV unpacking
AV Scanner
Scanner (overwrites
detection
detection for its o …
for doma
doma
doma…
MD5: b4c18286275126…
Multi
Multi AV
Multi AV Scanner
Scanner detection
detection for doma
for subm
subm…
subm…
SHA1: e1e3bcb27fec92d… Ransomware
SHA256: Multi AV Scanner

Allocates
Allocates memorydetection
memory in foreignfor
in foreign subm…
process
process…
process
7c84f12d1931043…
Miner Spreading
Tags: LTDSERVICESLIMITED signed Creates aamemory

Allocates
Creates thread ininanother
thread in foreign existing
another process…
existing malicious
malicious
malicious
malicious
Evader Phishing
Infos:
suspicious
suspicious
suspicious
Creates
Hijacks a thread
Hijacks the
the inflow
control
control another
flow in existing
in another
another pr
pr…
pr…
suspicious
clean
clean
clean
clean
Most interesting Screenshot: Hijacks

Injects aathe
Injects PEcontrol
PE file intoflow
file into in another
aa foreign
foreign pr…
proce
proce…
proce Exploiter Banker
Injects acode
PE into
Injects code file
intointo
the a
the foreign proce
Windows
Windows Explo
Explo…
Explo…
Spyware Trojan / Bot
Injects
Overwrites into with
codecode
Overwrites code the
withWindows Explojj…
unconditional
unconditional j…
Score: 100 Adware
Range: 0 - 100 Overwrites

PE file
PE file has code with sections
has nameless
nameless unconditional
sections j
Whitelisted: false PE fileto

Tries
Tries tohas nameless
detect
detect sections
virtualization
virtualization through
through…
through…
Confidence: 100%
Tries
Writes todetect
Writestoto foreignvirtualization
foreign memory through
memory regions
regions
Writes to foreign
Abnormal
Abnormal high memory
high CPU
CPU Usage
Usageregions
Adds
Abnormal high CPU
Adds // modifies
modifies Usage
Windows
Windows certificates
certificates
Antivirus
Adds
Antivirus
/ modifies
or Windows
or Machine
Machine certificates
Learning
Learning detec
detec…
detec…
Contains or
Antivirus Machine Learning
functionality for detec…
for execution
Startup Contains functionality execution
Contains
Contains functionality
Contains for
functionality to execution
to read
read the
the PEB
PEB
System is w10x64 Contains
Creates aafunctionality
Creates DirectInput to read(often
DirectInput object
object the PEB
(often fo
fo…
fo…
UPX0v9WcE6.exe (PID: 5920 cmdline: 'C:\Users\user\Desktop\UPX0v9WcE6.exe' MD5: B4C18286275126D4682C7E336566CB66)
Creates
Creates DirectInput
aa process
process in object (often
in suspended
suspended mofo…
mo…
mo
UPX0v9WcE6.exe (PID: 956 cmdline: 'C:\Users\user\Desktop\UPX0v9WcE6.exe' MD5: B4C18286275126D4682C7E336566CB66)
conhost.exe (PID: 1908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5:
Creates
Creates filesEA777DEEA782E8B4D7C7C33BBF8A4496)
afiles
process
insidein
inside thesuspended
the system mo…
system direc
direc
direc…
explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
Creates files
Creates or inside the
or modifies
modifies system
windows
windows direc
services
services
UPX0v9WcE6.exe (PID: 6520 cmdline: C:\Windows\Explorer.EXE MD5: B4C18286275126D4682C7E336566CB66)
Creates or modifies windows services
connection… …
Internet
Internet Provider
Provider seen
seen in
in connection
connection
conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
Internet
May
May sleep Provider
sleep seen
(evasive
(evasive
UPX0v9WcE6.exe (PID: 7092 cmdline: C:\Windows\Explorer.EXE MD5: B4C18286275126D4682C7E336566CB66) in connection
loops)
loops) to
to hinder
hinder …
May sleep (evasive loops) to hinder
Monitors
Monitors certain
certain registry
registry keys
keys valu…
valu…
// valu
Monitors
PE OLEcertain
PE // OLE file hasregistry
file has
UPX0v9WcE6.exe (PID: 6356 cmdline: C:\Windows\Explorer.EXE MD5: B4C18286275126D4682C7E336566CB66)an keys
an invalid
invalid / valu
certificate
certificate
PE /file
OLE file has an invalid resource
certificate…
PE file
PE contains
contains executable
executable resource…
resource
PE
PE file
file contains executable
contains sections
sections with
UPX0v9WcE6.exe (PID: 1144 cmdline: C:\Windows\Explorer.EXE MD5: B4C18286275126D4682C7E336566CB66) withresource
non-s
non-s…
non-s…
UPX0v9WcE6.exe (PID: 4824 cmdline: C:\Users\user\Desktop\UPX0v9WcE6.exe MD5: B4C18286275126D4682C7E336566CB66)
PE
PE file
file contains sections
contains strange with non-s
strange resources
resources
PE
conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1file
Queries
Queries contains
MD5:disk
disk strange resourcesused…
used…
EA777DEEA782E8B4D7C7C33BBF8A4496)
information
information (often
(often used
Queries disk
Queries the information
the volume
volume (often used
information
information (nam
(nam…
(nam…
Sample
Queries
conhost.exe (PID: 4700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5:
Sample execution
theEA777DEEA782E8B4D7C7C33BBF8A4496)
volume
execution stops
information
stops while
while proce
(nam
proce…
proce …
svchost.exe (PID: 3688 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
Sample
Sample execution
Sample file
file is stops
is different
different while
than
than proce…
original
original
Sample
UPX0v9WcE6.exe (PID: 5668 cmdline: C:\Users\user\Desktop\UPX0v9WcE6.exe MD5:
Uses
Uses filePE
is different than original
B4C18286275126D4682C7E336566CB66)
32bit
32bit PE files
files
Uses 32bit
Uses code PE files
code obfuscation
obfuscation techniques
techniques ((…
(…
cleanup
Uses code obfuscation techniques (
Malware Configuration
No configs have been found

Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Compliance:
Detected unpacking (overwrites its own PE header)
System Summary:
PE file has nameless sections
Data Obfuscation:
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hooking and other Techniques for Hiding and Protection:
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Malware Analysis System Evasion:
Tries to detect virtualization through RDTSC time measurements

HIPS / PFW / Operating System Protection Evasion:
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Writes to foreign memory regions
Mitre Att&ck Matrix
Initial Privilege Credential Lateral Command Network

Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects
Valid Command Windows Windows Masquerading 1 Credential Query Registry 1 Remote Credential Exfiltration Encrypted Eavesdrop on
Accounts and Scripting Service 1 Service 1 API Services API Over Other Channel 2 Insecure
Interpreter 2 Hooking 1 Hooking 1 Network Network
Medium Communication
Default Scheduled Registry Process Virtualization/Sandbox Input Security Software Remote Input Exfiltration Non- Exploit SS7 to
Accounts Task/Job Run Keys / Injection 6 1 2 Evasion 2 Capture 1 Discovery 1 2 1 Desktop Capture 1 Over Application Redirect Phone
Startup Protocol Bluetooth Layer Calls/SMS
Folder 1 Protocol 1
Domain At (Linux) Logon Script Registry Run Disable or Modify Security Virtualization/Sandbox SMB/Windows Data from Automated Application Exploit SS7 to
Accounts (Windows) Keys / Startup Tools 1 Account Evasion 2 Admin Shares Network Exfiltration Layer Track Device
Folder 1 Manager Shared Protocol 2 Location
Drive
Local At (Windows) Logon Script Logon Script Process NTDS Process Discovery 2 Distributed Input Scheduled Protocol SIM Card
Accounts (Mac) (Mac) Injection 6 1 2 Component Capture Transfer Impersonation Swap
Object Model
Cloud Cron Network Network Logon Obfuscated Files or LSA Remote System SSH Keylogging Data Fallback Manipulate
Accounts Logon Script Script Information 1 Secrets Discovery 1 Transfer Channels Device
Size Limits Communication
Replication Launchd Rc.common Rc.common Software Cached System Information VNC GUI Input Exfiltration Multiband Jamming or
Through Packing 2 1 Domain Discovery 1 2 3 Capture Over C2 Communication Denial of
Removable Credentials Channel Service
Media
Behavior Graph

Hide Legend
Legend:
Process
Behavior Graph
Signature
ID: 377188
Sample:
Startdate:
UPX0v9WcE6
29/03/2021
Created File
Architecture: WINDOWS
Score: 100
DNS/IP Info
Multi AV Scanner detection
for domain / URL
Multi AV Scanner detection
for submitted file
PE file has nameless
sections
started started started
Is Dropped
Is Windows Process
UPX0v9WcE6.exe UPX0v9WcE6.exe UPX0v9WcE6.exe
Number of created Registry Values 2 other processes
Number of created Files

127.0.0.1
Visual Basic unknown

unknown
injected started started started started

Delphi
Overwrites code with
Creates a thread in
Detected unpacking (changes Detected unpacking (overwrites unconditional jumps Hijacks the control Injects code into the Writes to foreign memory Injects a PE file into
2 other signatures another existing process
PE section rights) its own PE header) - possibly settings flow in another process Windows Explorer (explorer.exe) regions a foreign processes
hooks in foreign process
Java
(thread injection)
explorer.exe UPX0v9WcE6.exe UPX0v9WcE6.exe .Net C# or VB.NET UPX0v9WcE6.exe UPX0v9WcE6.exe
1 4 1 1 C, C++ or other language 1 1
m1.uptime66.com
Is malicious
started started started started started 195.181.164.212, 443, 49709, 49724 started started started
CDN77GB Internet
United Kingdom
UPX0v9WcE6.exe UPX0v9WcE6.exe UPX0v9WcE6.exe UPX0v9WcE6.exe conhost.exe conhost.exe conhost.exe conhost.exe
Overwrites code with

Creates a thread in
unconditional jumps Hijacks the control Injects a PE file into
another existing process started started started
- possibly settings flow in another process a foreign processes
(thread injection)
hooks in foreign process
UPX0v9WcE6.exe UPX0v9WcE6.exe UPX0v9WcE6.exe
1 1
started started started
conhost.exe conhost.exe conhost.exe
Screenshots
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
No bigger version

Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link

UPX0v9WcE6.exe 52% Virustotal Browse
UPX0v9WcE6.exe 22% Metadefender Browse
UPX0v9WcE6.exe 66% ReversingLabs Win32.Trojan.GenCBL
Dropped Files
No Antivirus matches
Unpacked PE Files
Source Detection Scanner Label Link Download

18.0.UPX0v9WcE6.exe.400000.0.unpack 100% Avira TR/Crypt.ZPACK.Gen2 Download File
Source Detection Scanner Label Link Download
Domains

m1.uptime66.com 8% Virustotal Browse
URLs

www.innosetup.com/ 0% URL Reputation safe
169.254.169.254/latest/meta-data/iam/security-credentials/length 0% Avira URL Cloud safe
169.254.16 0% Virustotal Browse
169.254.16 0% Avira URL Cloud safe
www.founder.com.cn/cn/bThe 0% URL Reputation safe
https://m1.uptime66.com/fetch.jsonillegal 0% Avira URL Cloud safe
www.tiro.com 0% URL Reputation safe
www.goodfont.co.kr 0% URL Reputation safe
www.carterandcone.coml 0% URL Reputation safe
www.sajatypeworks.com 0% URL Reputation safe
www.typography.netD 0% URL Reputation safe
www.founder.com.cn/cn/cThe 0% URL Reputation safe
www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe
fontfabrik.com 0% URL Reputation safe

www.founder.com.cn/cn 0% URL Reputation safe
169.254.170.2/in 0% Avira URL Cloud safe
www.remobjects.com/psU 0% URL Reputation safe
www.jiyu-kobo.co.jp/ 0% URL Reputation safe
www.galapagosdesign.com/DPlease 0% URL Reputation safe
www.sandoll.co.kr 0% URL Reputation safe
www.remobjects.com/ps 0% URL Reputation safe
www.urwpp.deDPlease 0% URL Reputation safe
www.zhongyicts.com.cn 0% URL Reputation safe
www.sakkal.com 0% URL Reputation safe
Domains and IPs
Contacted Domains
Name IP Active Malicious Antivirus Detection Reputation

m1.uptime66.com 195.181.164.212 true true 8%, Virustotal, Browse unknown
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation

www.innosetup.com/ UPX0v9WcE6.exe, UPX0v9WcE6.exe, false URL Reputation: safe unknown
00000004.00000002.421898818. URL Reputation: safe
0000000000401000.00000020.0002 URL Reputation: safe
0000.sdmp URL Reputation: safe
169.254.169.254/latest/meta-data/iam/security- UPX0v9WcE6.exe false Avira URL Cloud: safe unknown
credentials/length
www.autoitscript.com/autoit3/J explorer.exe, 00000005.0000000 false high
0.373504594.000000000095C000.0
0000004.00000020.sdmp
www.apache.org/licenses/LICENSE-2.0 explorer.exe, 00000005.0000000 false high
0.403289067.000000000B1A6000.0
0000002.00000001.sdmp

www.fontbureau.com explorer.exe, 00000005.0000000 false high
0.403289067.000000000B1A6000.0
0000002.00000001.sdmp
www.fontbureau.com/designersG explorer.exe, 00000005.0000000 false high
0.403289067.000000000B1A6000.0
0000002.00000001.sdmp
169.254.16 UPX0v9WcE6.exe false 0%, Virustotal, Browse low
Avira URL Cloud: safe
www.fontbureau.com/designers/? explorer.exe, 00000005.0000000 false high
0.403289067.000000000B1A6000.0
0000002.00000001.sdmp
www.founder.com.cn/cn/bThe explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
0.403289067.000000000B1A6000.0 URL Reputation: safe
0000002.00000001.sdmp URL Reputation: safe
URL Reputation: safe
https://m1.uptime66.com/fetch.jsonillegal UPX0v9WcE6.exe true Avira URL Cloud: safe unknown
www.fontbureau.com/designers? explorer.exe, 00000005.0000000 false high
0.403289067.000000000B1A6000.0
0000002.00000001.sdmp
https://geoip.maxmind.com/geoip/v2.1/country/invalid UPX0v9WcE6.exe false high
www.tiro.com explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.fontbureau.com/designers explorer.exe, 00000005.0000000 false high
0.403289067.000000000B1A6000.0
0000002.00000001.sdmp
www.goodfont.co.kr explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
https://geoip.maxmind.com/geoip/v2.1/insights/invalid UPX0v9WcE6.exe false high
www.carterandcone.coml explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.sajatypeworks.com explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.typography.netD explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.fontbureau.com/designers/cabarga.htmlN explorer.exe, 00000005.0000000 false high
0.403289067.000000000B1A6000.0
0000002.00000001.sdmp
www.founder.com.cn/cn/cThe explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.galapagosdesign.com/staff/dennis.htm explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
fontfabrik.com explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.founder.com.cn/cn explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.fontbureau.com/designers/frere-jones.html explorer.exe, 00000005.0000000 false high

0.403289067.000000000B1A6000.0
0000002.00000001.sdmp
169.254.170.2/in UPX0v9WcE6.exe false Avira URL Cloud: safe unknown
www.remobjects.com/psU UPX0v9WcE6.exe, 00000000.00000 false URL Reputation: safe unknown
000.327732476.0000000000401000 URL Reputation: safe
.00000020.00020000.sdmp, UPX0v URL Reputation: safe
9WcE6.exe, 00000001.00000000.3 URL Reputation: safe
58580163.0000000000401000.0000
0020.00020000.sdmp, UPX0v9WcE6
.exe, 00000004.00000002.421898
818.0000000000401000.00000020.
00020000.sdmp
www.jiyu-kobo.co.jp/ explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.galapagosdesign.com/DPlease explorer.exe, 00000005.0000000 false URL Reputation: safe unknown

www.fontbureau.com/designers8 explorer.exe, 00000005.0000000 false high
0.403289067.000000000B1A6000.0
0000002.00000001.sdmp
https://geoip.maxmind.com/geoip/v2.1/city/inspector- UPX0v9WcE6.exe false high
fips.us-gov-east-1.amazonaws.cominspector-fips.u
www.fonts.com explorer.exe, 00000005.0000000 false high
0.403289067.000000000B1A6000.0
0000002.00000001.sdmp
www.sandoll.co.kr explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.remobjects.com/ps UPX0v9WcE6.exe false URL Reputation: safe unknown
www.urwpp.deDPlease explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.zhongyicts.com.cn explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
www.sakkal.com explorer.exe, 00000005.0000000 false URL Reputation: safe unknown
Contacted IPs
No. of IPs < 25%
25% < No. of IPs < 50%

50% < No. of IPs < 75%
75% < No. of IPs
Public
IP Domain Country Flag ASN ASN Name Malicious

195.181.164.212 m1.uptime66.com United Kingdom 60068 CDN77GB true
Private
IP
127.0.0.1
General Information
Joe Sandbox Version: 31.0.0 Emerald

Analysis ID: 377188
Start date: 29.03.2021
Start time: 09:09:49
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 13m 44s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: UPX0v9WcE6 (renamed file extension from none to
exe)
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus
2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8
Update 211
Number of analysed new started processes analysed: 33
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 1
Technologies: HCA enabled
EGA enabled
HDC enabled
AMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Detection: MAL
Classification: mal100.evad.winEXE@34/7@3/2
EGA Information: Failed
HDC Information: Successful, ratio: 14.8% (good quality ratio 10.1%)
Quality average: 59%
Quality standard deviation: 43.7%
HCA Information: Successful, ratio: 60%

Number of executed functions: 0
Number of non-executed functions: 0
Cookbook Comments: Adjust boot time
Enable AMSI

Warnings: Show All
Exclude process from analysis (whitelisted):
MpCmdRun.exe, audiodg.exe,
BackgroundTransferHost.exe, WMIADAP.exe,
backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted):
204.79.197.200, 13.107.21.200, 13.64.90.137,
2.23.155.232, 2.23.155.186, 104.43.139.144,
52.147.198.201, 20.82.209.183, 2.20.142.209,
2.20.142.210, 13.88.21.125, 20.82.210.154,
92.122.213.247, 92.122.213.194, 104.43.193.48,
184.30.20.56, 20.54.26.129, 168.61.161.212
Excluded domains from analysis (whitelisted):
au.download.windowsupdate.com.edgesuite.net,
arc.msn.com.nsatc.net, 2-01-3cf7-
0009.cdx.cedexis.net, a767.dspw65.akamai.net,
wu-fg-shim.trafficmanager.net,
a1449.dscg2.akamai.net, fs-
wildcard.microsoft.com.edgekey.net, fs-
wildcard.microsoft.com.edgekey.net.globalredir.aka
dns.net, arc.msn.com, www-bing-com.dual-a-
0001.a-msedge.net,
audownload.windowsupdate.nsatc.net,
arc.trafficmanager.net,
watson.telemetry.microsoft.com, img-prod-cms-rt-
microsoft-com.akamaized.net,
prod.fs.microsoft.com.akadns.net, au-bg-
shim.trafficmanager.net, www.bing.com,
skypedataprdcolwus17.cloudapp.net,
fs.microsoft.com, dual-a-0001.a-msedge.net, ris-
prod.trafficmanager.net, ctldl.windowsupdate.com,
e1723.g.akamaiedge.net,
skypedataprdcolcus17.cloudapp.net,
download.windowsupdate.com,
a767.dscg3.akamai.net,
download.windowsupdate.com.edgesuite.net,
skypedataprdcoleus16.cloudapp.net,
ris.api.iris.microsoft.com, a-0001.a-
afdentry.net.trafficmanager.net,
blobcollector.events.data.trafficmanager.net,
skypedataprdcolwus15.cloudapp.net
Report creation exceeded maximum time and may
have missing disassembly code information.
Report size exceeded maximum capacity and may
have missing behavior information.
Report size getting too big, too many
NtOpenKeyEx calls found.
Report size getting too big, too many
NtQueryValueKey calls found.
Simulations
Behavior and APIs
Time Type Description

09:11:02 Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Prun "C:\Program Files (x86)\PublicGaming\pr
un.exe"
09:11:11 Autostart Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Prun "C:\Program Files (x86)\PublicGaming\
prun.exe"
09:12:06 API Interceptor 2x Sleep call for process: svchost.exe modified
Joe Sandbox View / Context
IPs
No context
Domains

No context
No context
ASN
Match Associated Sample Name / URL SHA 256 Detection Link Context
CDN77GB tGN2wiPl8p.exe Get hash malicious Browse 195.181.169.92
kWobwGNLtC.exe Get hash malicious Browse 195.181.169.92
zPdANLbcCg.exe Get hash malicious Browse 195.181.169.92
7KMJcMzppg.exe Get hash malicious Browse 195.181.169.92
y6NjIs8UiA.exe Get hash malicious Browse 195.181.169.92
P4fr8v14dH.exe Get hash malicious Browse 195.181.169.92
P4fr8v14dH.exe Get hash malicious Browse 195.181.169.92
Q lifesettlements INVOICE.htm Get hash malicious Browse 89.187.165.193
fd5aDwmrwz.exe Get hash malicious Browse 195.181.169.92
IQZ1hKe5o0.exe Get hash malicious Browse 195.181.169.92
PGUmVNEaTC.exe Get hash malicious Browse 84.17.52.78
PERuTR7vGb.dll Get hash malicious Browse 89.187.165.7
GirafficInstall1.0.0.25.exe Get hash malicious Browse 84.17.52.78

#Ud83d#Udcc4SLC-00673280_982101.rtf Get hash malicious Browse 89.187.165.7
#Ud83d#Udcc4SLC-00673280_982101.rtf Get hash malicious Browse 89.187.165.7
ORDER FRD91PM7.xlsx Get hash malicious Browse 89.187.165.8
ORDER FRD91PM7.xlsx Get hash malicious Browse 89.187.165.8
yVn2ywuhEC.exe Get hash malicious Browse 84.17.52.74
VANGUARD PAYMENT ADVICE.htm Get hash malicious Browse 89.187.165.8
COMFAM INVOICE.htm Get hash malicious Browse 89.187.165.8
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
C:\ProgramData\Microsoft\Network\Downloader\edb.log
Process: C:\Windows\System32\svchost.exe
File Type: data
Category: dropped
Size (bytes): 4096
Entropy (8bit): 0.5935016132784936
Encrypted: false
SSDEEP: 6:0FmiEk1GaD0JOCEfMuaaD0JOCEfMKQmDTpJtAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0xrGaD0JcaaD0JwQQjtAg/0bjSQJ
MD5: D868741BA12034317B75D0EDB2296F87
SHA1: 049231B9FB0F719DC80E5B580A085D28EA049BC6
SHA-256: 8191C0B8FC6B153994C307575C3BB1B1B618766820F07404A8723B8F372CAE24
SHA-512: 7252F736E3BA36B107EF1493D6DE0343346C0D8E2D7C0196889328260145798C8C9A0B1E006FCA7A80E1F6A62801FCF636E1235DF6B9B7CD06729CFB55099471
Malicious: false
Preview:
......:{..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.................................................................................................................................................
........................................................................C:\ProgramData\Microsoft\Network\Downloader\............................................................................................................................
..............................................................................................0u..................@[email protected]............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m
.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G..........................................................................................................................................................
..................................................
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
File Type: Extensible storage user DataBase, version 0x620, checksum 0xe83c5c89, page size 16384, DirtyShutdown, Windows version 10.0
Category: dropped
Size (bytes): 32768
Entropy (8bit): 0.09493202460636412
Encrypted: false
SSDEEP: 6:tkGzwl/+j4rUMRIE11Y8TRXDTUFXl8KnkGzwl/+j4rUMRIE11Y8TRXDTUFXl8K:90+j4FO4blTKz0+j4FO4blTK

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
MD5: 1E32C94EA3FFC27A79A319F5FCD5C12A
SHA1: 553B945E96D33C95EA0A36BDC6518C55E526C504
SHA-256: A560C8FF6A757D6D13826578D2949AF4FE2A285D499DBA6EDAC5B8BEDE437D80
SHA-512: 9243315F6D1B12A03E19B6849C512EE559886626C09DAD7FA49357A48F227730E8F8C73ED9D6A0A43A0ED693B9D7A92174F32D8D32A1CE95F57F5D3B28CF3E1F
Malicious: false
Preview:
.<\.... ................e.f.3...w........................&..........w.......yq.h.(..............................3...w...........................................................................................................B...........@.............
......................................................................................... ........3...w.......................................................................................................................................................................
................................................................1V......yqq..................w......yq..............................................................................................................................................................
...........................................................................................................................................................................................................................
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
File Type: data
Category: dropped
Size (bytes): 8192
Entropy (8bit): 0.10759976255945254
Encrypted: false
SSDEEP: 3:2Slt1EviVl+l7l/bJdAtiRSEll/llall:FyiVkl7t40XlA
MD5: 46FE72BBE9A8BF20845E600816203BDA
SHA1: 6EED8EBE85DA87950003385A5AEE940F6406045B
SHA-256: AD99051B34420518942F7ABFE90B41D001D11AA86DB36F6D8E61CB1E1A2302C0
SHA-512: DCAF70FC0A1902F51DE3C27ECCB7084EFBA2AF48935BCE60E44387F8759CB47530E516E1B4AFED077E83E3CD6187D805A2188EDE735653F6D8FE0226E63A1D
CA
Malicious: false
Preview:
?..n.....................................3...w.......yq......w...............w.......w....:O.....w....................w......yq...........................................................................................................................
..............................................................................................................................................................................................................................................................................
..............................................................................................................................................................................................................................................................................
..................................................................................................................................................................................................................
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
File Type: ASCII text, with no line terminators
Category: dropped
Size (bytes): 55
Entropy (8bit): 4.306461250274409
Encrypted: false
SSDEEP: 3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5: DCA83F08D448911A14C22EBCACC5AD57
SHA1: 91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256: 2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512: 96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBAC
A
Malicious: false
Preview:
{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
\Device\ConDrv
Process: C:\Users\user\Desktop\UPX0v9WcE6.exe
File Type: ASCII text
Category: dropped
Size (bytes): 667
Entropy (8bit): 5.06057468541587
Encrypted: false
SSDEEP: 12:cfygzgypRmLhGu/RU2WBjGomqRUQsAkRU2WBkFBqRUQVZOEiBqyfdGBiBqyXORaT:uzAxRJ0jG6R1sbRJ0QMR1VZmM8dFM82u
MD5: DC8E00B1BA9FDF5363C925429151D018
SHA1: 249FEC2E3111BDD890565170FF1A27E70B54D315
SHA-256: 8ECC47C2FE6368EE093FB95186BE03407E7FC857A3BE0C89964C0B35B1D5B223
SHA-512: 73041EC987FDA3DD349AF9B84256FD828A1B6C20E13BD23E75BA835B361D7C3959213F03B3FF7B10298FDFF0D3C3513BFE8CBCD7C43FE512080DE7D4778D17C
0
Malicious: false
Preview:
panic: runtime error: invalid memory address or nil pointer dereference.[signal 0xc0000005 code=0x0 addr=0x0 pc=0x8365fd]..goroutine 7 [running]:.netbounce/tunnel.
(*Client).changeState(0x0, 0x1, 0x0, 0x0, 0x53)..C:/Users/Bob/go/src/netbounce/tunnel/client.go:409 +0x1d.netbounce/tunnel.(*Client).Start(0x0)..C:/Users/Bob/go/src/ne
tbounce/tunnel/client.go:273 +0x79.main.(*Program).startTunnelClients(0x11da3d00)..C:/Users/Bob/go/src/netbounce/client/clientworks.go:234 +0x74.main.(*Program)
.run(0x11da3d00)..C:/Users/Bob/go/src/netbounce/client/clientworks.go:325 +0x6a5.created by main.(*Program).Start..C:/Users/Bob/go/src/netbounce/client/clientwo
rks.go:213 +0x5c.

Static File Info
General
File type: PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit): 7.900869257046194
TrID: Win32 Executable (generic) a (10002005/4)
97.75%
Windows ActiveX control (116523/4) 1.14%
Inno Setup installer (109748/4) 1.07%
Generic Win/DOS Executable (2004/3) 0.02%
DOS Executable Generic (2002/1) 0.02%
File name: UPX0v9WcE6.exe
File size: 9046968
MD5: b4c18286275126d4682c7e336566cb66
SHA1: e1e3bcb27fec92d160591aca62e058654e2ef4a8
SHA256: 7c84f12d1931043664fde0954a5af1b0e30edd8f7fcc6b33
cfe298fc431baa84
SHA512: 2a47a5ba1e7a30cb6f89080e8943e62ff3fc9fd12a8cea93
9afbcdd8eed8b8f1c311e3b4c89b82454e0522a81129b0f
bf11a5be9fe4332cd3a05533ac8b13be9
SSDEEP: 196608:6jqN6pnt2NzFFXmCXNvyZRJHWhf0IemjoBbe
X:6txUNzL2ONMJHrIeMMbeX
File Content Preview: [email protected]....................!..L.
!..This program must be run under Win32..$7..................
.........................................................................................
............................
File Icon
Icon Hash: c4e0c9c4c4dc9c20
Static PE Info
General
Entrypoint: 0x49b7dc
Entrypoint Section: CODE
Digitally signed: true
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO,
EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI,
RELOCS_STRIPPED
DLL Characteristics:
Time Stamp: 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 1
OS Version Minor: 0
File Version Major: 1
File Version Minor: 0
Subsystem Version Major: 1
Subsystem Version Minor: 0
Import Hash: ba4cc0afb12afe0a3f885ae6696404ed
Authenticode Signature
Signature Valid: false

Signature Issuer: CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester,
C=GB
Signature Validation Error: A required certificate is not within its validity period when verifying against the current
system clock or the timestamp in the signed file
Error Number: -2146762495
Not Before, Not After 3/17/2021 5:00:00 PM 3/18/2022 4:59:59 PM
Subject Chain CN=LTD SERVICES LIMITED, O=LTD SERVICES LIMITED, STREET=19 Young Close,
L=Clacton-On-Sea, S=Essex, PostalCode=CO16 8UQ, C=GB

Version: 3
Thumbprint MD5: 38896DF7AD72D87D9A00C51AB94A7C27
Thumbprint SHA-1: A7287460DCF02E38484937B121CE8548191D4E64
Thumbprint SHA-256: 05BE3171CA7272803D139CA13B16C24A3DD22917B1B8D6D0FD5401E63A79DD27
Serial: 7D36CBB64BC9ADD17BA71737D3ECCECA
Entrypoint Preview
Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF4h
push ebx
push esi
push edi
call 00007FF080DBC86Fh
call 00007FF080DBEBC6h
call 00007FF080DBF91Dh
call 00007FF080DBFD70h
call 00007FF080DC32F3h
call 00007FF080DCA106h
call 00007FF080DCA369h
call 00007FF080DCC2C0h
call 00007FF080DD29D3h
call 00007FF080DDE8CEh
call 00007FF080DE90E1h
call 00007FF080DEA3C8h
call 00007FF080E0929Fh
call 00007FF080E09766h
call 00007FF080E0A0D1h
call 00007FF080E0B4B0h
call 00007FF080E0CEA3h
call 00007FF080E10DBAh
call 00007FF080E11D19h
call 00007FF080E1302Ch
call 00007FF080E1EEDBh
call 00007FF080E2785Eh
call 00007FF080E34005h
call 00007FF080E3F614h
call 00007FF080E51C83h
xor eax, eax
push ebp
push 0049B8A0h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000001h
call 00007FF080DBEF4Ah
call 00007FF080E54A35h
mov eax, 0049B51Ch
push eax
push 0049B528h
mov eax, dword ptr [0049E62Ch]
call 00007FF080DDDDE8h
call 00007FF080E54A63h
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007FF080E54D2Bh
jmp 00007FF081DBC2E0h
Data Directories
Name Virtual Address Virtual Size Is in Section

IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0

Name Virtual Address Virtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_IMPORT 0xa0000 0x2632 .idata
IMAGE_DIRECTORY_ENTRY_RESOURCE 0xae000 0x52838
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0
IMAGE_DIRECTORY_ENTRY_SECURITY 0x89f800 0x13b8 CloudMot
IMAGE_DIRECTORY_ENTRY_BASERELOC 0xa5000 0x0 .reloc
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_TLS 0xa4000 0x18 .rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
CODE 0x1000 0x9aa20 0x9ac00 False 0.496884150343 data 6.60249204826 IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_CNT_CODE,
IMAGE_SCN_MEM_READ
DATA 0x9c000 0x1144 0x1200 False 0.458116319444 data 4.56609282758 IMAGE_SCN_CNT_INITIALIZED_D
ATA, IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ
BSS 0x9e000 0x1590 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ
.idata 0xa0000 0x2632 0x2800 False 0.3662109375 data 4.88501269308 IMAGE_SCN_CNT_INITIALIZED_D
ATA, IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ
.tls 0xa3000 0x8 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ
.rdata 0xa4000 0x18 0x200 False 0.05078125 data 0.210826267787 IMAGE_SCN_CNT_INITIALIZED_D
ATA,
IMAGE_SCN_MEM_SHARED,
IMAGE_SCN_MEM_READ
.reloc 0xa5000 0x8d0c 0x0 False 0 empty 0.0 IMAGE_SCN_CNT_INITIALIZED_D
ATA,
IMAGE_SCN_MEM_READ
0xae000 0x52838 0x52a00 False 0.0617406155446 data 2.06375406771 IMAGE_SCN_CNT_INITIALIZED_D
ATA,
IMAGE_SCN_MEM_READ
CloudMot 0x101000 0x7ae000 0x7ae000 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_CNT_CODE,
IMAGE_SCN_MEM_READ
Analysis 0x8af000 0xf4f 0x200 False 0.02734375 data 0.0 IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_CNT_INITIALIZED_D
ATA, IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country

RT_CURSOR 0xaea90 0x134 data
RT_CURSOR 0xaebc4 0x134 data
RT_CURSOR 0xaecf8 0x134 data
RT_CURSOR 0xaee2c 0x134 data
RT_CURSOR 0xaef60 0x134 data
RT_CURSOR 0xaf094 0x134 data
RT_BITMAP 0xaf1c8 0x4e8 data
RT_BITMAP 0xaf6b0 0xe8 GLS_BINARY_LSB_FIRST
RT_ICON 0xaf798 0x468 GLS_BINARY_LSB_FIRST
RT_ICON 0xafc00 0x10a8 dBase IV DBT of @.DBF, block length 8192, next
free block index 40
RT_ICON 0xb0ca8 0x25a8 dBase IV DBT of `.DBF, block length 18432, next
free block index 40
RT_ICON 0xb3250 0x42028 data
RT_ICON 0xf5278 0x2e8 data
RT_STRING 0xf5560 0x3a8 data
RT_STRING 0xf5908 0x348 data

Name RVA Size Type Language Country
RT_STRING 0xf5c50 0x3ac data
RT_STRING 0xf5ffc 0x3e2 data
RT_STRING 0xf63e0 0x234 data
RT_STRING 0xf6614 0x2da data
RT_STRING 0xf68f0 0x2fa data
RT_STRING 0xf6bec 0x202 data
RT_STRING 0xf6df0 0xc8 Hitachi SH big-endian COFF object file, not
stripped, 9728 sections, symbol
offset=0x6c007000, 285232640 symbols, optional
header size 28416
RT_STRING 0xf6eb8 0x1ec data
RT_STRING 0xf70a4 0x27a data
RT_STRING 0xf7320 0x3aa data
RT_STRING 0xf76cc 0x7e data
RT_STRING 0xf774c 0x36c data
RT_STRING 0xf7ab8 0x2f2 data
RT_STRING 0xf7dac 0x30c data
RT_STRING 0xf80b8 0x2ce data
RT_STRING 0xf8388 0x68 data
RT_STRING 0xf83f0 0xb4 data
RT_STRING 0xf84a4 0xae data
RT_RCDATA 0xf8554 0x1800 PE32+ executable (console) x86-64, for MS English United States
Windows
RT_RCDATA 0xf9d54 0x5b10 PE32 executable (DLL) (GUI) Intel 80386 (stripped English United States
to external PDB), for MS Windows
RT_RCDATA 0xff864 0x125 Delphi compiled form 'TMainForm'
RT_RCDATA 0xff98c 0x3a2 Delphi compiled form 'TNewDiskForm'
RT_RCDATA 0xffd30 0x320 Delphi compiled form 'TSelectFolderForm'
RT_RCDATA 0x100050 0x300 Delphi compiled form 'TSelectLanguageForm'
RT_GROUP_CURSOR 0x100350 0x14 Lotus unknown worksheet or configuration,
revision 0x1
revision 0x1
revision 0x1
RT_GROUP_CURSOR 0x10038c 0x14 Lotus unknown worksheet or configuration,
revision 0x1
RT_GROUP_CURSOR 0x1003a0 0x14 Lotus unknown worksheet or configuration,
revision 0x1
RT_GROUP_CURSOR 0x1003b4 0x14 Lotus unknown worksheet or configuration,
revision 0x1
RT_GROUP_ICON 0x1003c8 0x3e data
RT_VERSION 0x100408 0x430 data
Imports
DLL Import
kernel32.dll DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree,
LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError,
GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize,
GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll MessageBoxA
oleaut32.dll SafeArrayPutElement, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen,
SysAllocStringLen
advapi32.dll SetSecurityDescriptorDacl, RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumValueA,
RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, OpenThreadToken,
OpenProcessToken, LookupPrivilegeValueA, InitializeSecurityDescriptor, GetUserNameA, GetTokenInformation, FreeSid,
EqualSid, AllocateAndInitializeSid
kernel32.dll lstrcmpA, WriteProfileStringA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualFree, VirtualAlloc,
TransactNamedPipe, TerminateThread, TerminateProcess, Sleep, SizeofResource, SetNamedPipeHandleState, SetLastError,
SetFileTime, SetFilePointer, SetFileAttributesA, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, RemoveDirectoryA,
ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv,
MoveFileExA, MoveFileA, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExA, LoadLibraryA,
IsDBCSLeadByte, IsBadWritePtr, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom,
GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetTickCount,
GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetShortPathNameA,
GetProfileStringA, GetProcAddress, GetPrivateProfileStringA, GetOverlappedResult, GetModuleHandleA,
GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize,
GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA,
GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA,
GetComputerNameA, GetCommandLineA, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA,
FlushFileBuffers, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime,
DeviceIoControl, DeleteFileA, CreateThread, CreateProcessA, CreateNamedPipeA, CreateMutexA, CreateFileA,
CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CompareFileTime, CloseHandle
DLL Import
version.dll VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode,
SetROP2, SetPixel, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC,
RemoveFontResourceA, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, LineTo, LineDDA,
IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A,
GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits,
GetCurrentPositionEx, GetClipBox, GetBitmapBits, ExtFloodFill, ExcludeClipRect, EnumFontsA, Ellipse, DeleteObject,
DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateFontIndirectA, CreateDIBitmap,
CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc,
AddFontResourceA
user32.dll WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx,
TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups,
ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement,
SetWindowLongW, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropA, SetMenu,
SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendNotifyMessageA, SendMessageTimeoutA,
SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropA,
RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClassA, PtInRect, PostQuitMessage,
PostMessageA, PeekMessageA, OffsetRect, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA,
MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer,
IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect,
IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn,
GetWindowRect, GetWindowPlacement, GetWindowLongA, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu,
GetScrollPos, GetPropA, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState,
GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow,
GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassInfoW, GetClassInfoA,
GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows,
EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx,
DrawIcon, DrawFrameControl, DrawFocusRect, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon,
DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu,
CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcW, CallWindowProcA, CallNextHookEx,
BringWindowToTop, BeginPaint, AppendMenuA, CharPrevA, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA,
CharToOemBuffA, AdjustWindowRectEx
ole32.dll CoTaskMemFree, CLSIDFromProgID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
shell32.dll ShellExecuteExA, ShellExecuteA, SHGetFileInfoA, ExtractIconA
shell32.dll SHChangeNotify, SHBrowseForFolder, SHGetPathFromIDList, SHGetMalloc
ole32.dll CoDisconnectObject
advapi32.dll AdjustTokenPrivileges
Version Infos
Description Data
LegalCopyright (C) 2020 Advanced Micro Devices, Inc.
ISInternalVersion 23.0.511
InternalName Setup
FileVersion 2.6.2.1818
CompanyName Advanced Micro Devices, Inc.
Internal Build Number 174648
ProductName AMD Ryzen Master
ProductVersion 2.6.2.1818
FileDescription AMD Ryzen Master Installation
ISInternalDescription Setup Launcher Unicode
OriginalFilename InstallShield Setup.exe
Translation 0x0409 0x04b0
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
Snort IDS Alerts

Source Dest
Timestamp Protocol SID Message Port Port Source IP Dest IP
03/29/21- ICMP 384 ICMP PING 192.168.2.6 2.23.155.232
09:10:37.708974
03/29/21- ICMP 449 ICMP Time-To-Live Exceeded in Transit 84.17.52.126 192.168.2.6
09:10:37.741300
03/29/21- ICMP 384 ICMP PING 192.168.2.6 2.23.155.232
09:10:37.743157
09:10:37.775585
03/29/21- ICMP 384 ICMP PING 192.168.2.6 2.23.155.232
09:10:37.776524
09:10:37.809649
03/29/21- ICMP 384 ICMP PING 192.168.2.6 2.23.155.232
09:10:37.810208
09:10:37.848809
03/29/21- ICMP 384 ICMP PING 192.168.2.6 2.23.155.232
09:10:37.849436
09:10:37.893861
03/29/21- ICMP 384 ICMP PING 192.168.2.6 2.23.155.232
09:10:37.894399
09:10:37.939243
03/29/21- ICMP 384 ICMP PING 192.168.2.6 2.23.155.232
09:10:37.939805
09:10:37.997025
03/29/21- ICMP 384 ICMP PING 192.168.2.6 2.23.155.232
09:10:37.997494
09:10:38.064320
03/29/21- ICMP 384 ICMP PING 192.168.2.6 2.23.155.232
09:10:38.064893
03/29/21- ICMP 408 ICMP Echo Reply 2.23.155.232 192.168.2.6
09:10:38.114441
Network Port Distribution
Total Packets: 59
• 53443(DNS)
• (HTTPS)
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP

Mar 29, 2021 09:11:21.870923996 CEST 49709 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:21.923232079 CEST 443 49709 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:21.923357010 CEST 49709 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:21.925098896 CEST 49709 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:21.976743937 CEST 443 49709 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:21.976779938 CEST 443 49709 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:21.976794958 CEST 443 49709 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:21.976881027 CEST 49709 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:22.016155958 CEST 49709 443 192.168.2.6 195.181.164.212

Mar 29, 2021 09:11:22.381566048 CEST 49709 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:22.381596088 CEST 49709 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:22.433373928 CEST 443 49709 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:22.433438063 CEST 443 49709 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:22.433733940 CEST 443 49709 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:22.435492992 CEST 49709 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:22.473201036 CEST 49709 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:27.128108025 CEST 49709 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:59.204843998 CEST 49724 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:59.255054951 CEST 443 49724 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:59.257035017 CEST 49724 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:59.257064104 CEST 49724 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:59.311692953 CEST 443 49724 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:59.311728001 CEST 443 49724 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:59.311745882 CEST 443 49724 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:59.311844110 CEST 49724 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:59.647576094 CEST 49724 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:59.647592068 CEST 49724 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:59.698836088 CEST 443 49724 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:59.698865891 CEST 443 49724 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:59.698947906 CEST 49724 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:11:59.699309111 CEST 443 49724 195.181.164.212 192.168.2.6
Mar 29, 2021 09:11:59.890932083 CEST 49724 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:06.434149981 CEST 49724 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:34.246356964 CEST 49738 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:34.296668053 CEST 443 49738 195.181.164.212 192.168.2.6
Mar 29, 2021 09:12:34.296828985 CEST 49738 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:34.299042940 CEST 49738 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:34.351587057 CEST 443 49738 195.181.164.212 192.168.2.6
Mar 29, 2021 09:12:34.351645947 CEST 443 49738 195.181.164.212 192.168.2.6
Mar 29, 2021 09:12:34.351684093 CEST 443 49738 195.181.164.212 192.168.2.6
Mar 29, 2021 09:12:34.351744890 CEST 49738 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:34.392765999 CEST 49738 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:34.757961035 CEST 49738 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:34.758436918 CEST 49738 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:34.808542967 CEST 443 49738 195.181.164.212 192.168.2.6
Mar 29, 2021 09:12:34.808602095 CEST 443 49738 195.181.164.212 192.168.2.6
Mar 29, 2021 09:12:34.809087992 CEST 49738 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:34.809184074 CEST 443 49738 195.181.164.212 192.168.2.6
Mar 29, 2021 09:12:34.848819971 CEST 49738 443 192.168.2.6 195.181.164.212
Mar 29, 2021 09:12:41.358772039 CEST 49738 443 192.168.2.6 195.181.164.212
UDP Packets

Mar 29, 2021 09:10:29.772059917 CEST 64267 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:10:29.837325096 CEST 53 64267 8.8.8.8 192.168.2.6
Mar 29, 2021 09:10:30.148868084 CEST 49448 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:10:30.196477890 CEST 53 49448 8.8.8.8 192.168.2.6
Mar 29, 2021 09:10:37.642491102 CEST 60342 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:10:37.706971884 CEST 53 60342 8.8.8.8 192.168.2.6
Mar 29, 2021 09:10:40.923221111 CEST 61346 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:10:40.971924067 CEST 53 61346 8.8.8.8 192.168.2.6
Mar 29, 2021 09:10:41.988894939 CEST 51774 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:10:42.043118954 CEST 53 51774 8.8.8.8 192.168.2.6
Mar 29, 2021 09:10:59.724641085 CEST 56023 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:10:59.770621061 CEST 53 56023 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:00.229293108 CEST 58384 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:00.275440931 CEST 53 58384 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:21.818695068 CEST 60261 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:21.865324020 CEST 53 60261 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:25.013258934 CEST 56061 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:25.070813894 CEST 53 56061 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:32.776454926 CEST 58336 53 192.168.2.6 8.8.8.8

Mar 29, 2021 09:11:32.822386980 CEST 53 58336 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:38.068340063 CEST 53781 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:38.117158890 CEST 53 53781 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:42.991051912 CEST 54064 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:43.045707941 CEST 53 54064 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:46.230000973 CEST 52811 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:46.286170006 CEST 53 52811 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:53.654352903 CEST 55299 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:53.701124907 CEST 53 55299 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:55.380251884 CEST 63745 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:55.426179886 CEST 53 63745 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:57.171549082 CEST 50055 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:57.217504978 CEST 53 50055 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:59.142276049 CEST 61374 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:59.198646069 CEST 53 61374 8.8.8.8 192.168.2.6
Mar 29, 2021 09:11:59.281196117 CEST 50339 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:11:59.327142000 CEST 53 50339 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:10.210242033 CEST 63307 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:10.266772032 CEST 53 63307 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:11.561749935 CEST 49694 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:11.607665062 CEST 53 49694 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:23.496516943 CEST 54982 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:23.550955057 CEST 53 54982 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:25.838094950 CEST 50010 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:25.885657072 CEST 53 50010 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:29.347220898 CEST 63718 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:29.419975996 CEST 53 63718 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:29.433367968 CEST 62116 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:29.482286930 CEST 53 62116 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:30.408241034 CEST 63816 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:30.455039978 CEST 53 63816 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:31.345590115 CEST 55014 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:31.391460896 CEST 53 55014 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:32.361498117 CEST 62208 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:32.416079044 CEST 53 62208 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:33.545768023 CEST 57574 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:33.592322111 CEST 53 57574 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:34.185832024 CEST 51818 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:34.239896059 CEST 53 51818 8.8.8.8 192.168.2.6
Mar 29, 2021 09:12:34.740175009 CEST 56628 53 192.168.2.6 8.8.8.8
Mar 29, 2021 09:12:34.786199093 CEST 53 56628 8.8.8.8 192.168.2.6
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Mar 29, 2021 09:11:21.818695068 CEST 192.168.2.6 8.8.8.8 0x2e4b Standard query m1.uptime66.com A (IP address) IN (0x0001)
(0)
Mar 29, 2021 09:11:59.142276049 CEST 192.168.2.6 8.8.8.8 0x9ca6 Standard query m1.uptime66.com A (IP address) IN (0x0001)
(0)
Mar 29, 2021 09:12:34.185832024 CEST 192.168.2.6 8.8.8.8 0x94c7 Standard query m1.uptime66.com A (IP address) IN (0x0001)
(0)
DNS Answers
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class
Mar 29, 2021 8.8.8.8 192.168.2.6 0x2e4b No error (0) m1.uptime6 195.181.164.212 A (IP address) IN (0x0001)
09:11:21.865324020 6.com
CEST
Mar 29, 2021 8.8.8.8 192.168.2.6 0x9ca6 No error (0) m1.uptime6 195.181.164.212 A (IP address) IN (0x0001)
09:11:59.198646069 6.com
CEST
Mar 29, 2021 8.8.8.8 192.168.2.6 0x94c7 No error (0) m1.uptime6 195.181.164.212 A (IP address) IN (0x0001)
09:12:34.239896059 6.com
CEST

Code Manipulations
Statistics
Behavior
• UPX0v9WcE6.exe
• UPX0v9WcE6.exe
• conhost.exe
• UPX0v9WcE6.exe
• explorer.exe
• UPX0v9WcE6.exe
• conhost.exe
• UPX0v9WcE6.exe
• UPX0v9WcE6.exe
• UPX0v9WcE6.exe
• conhost.exe
• UPX0v9WcE6.exe
• UPX0v9WcE6.exe
• conhost.exe
• UPX0v9WcE6.exe
• svchost.exe
• conhost.exe
• UPX0v9WcE6.exe
• UPX0v9WcE6.exe
• UPX0v9WcE6.exe
• UPX0v9WcE6.exe
• conhost.exe
• conhost.exe
• UPX0v9WcE6.exe
Click to jump to process
System Behavior
Analysis Process: UPX0v9WcE6.exe PID: 5920 Parent PID: 5972
General

Start date: 29/03/2021
Path: C:\Users\user\Desktop\UPX0v9WcE6.exe
Wow64 process (32bit): true
Commandline: 'C:\Users\user\Desktop\UPX0v9WcE6.exe'
Imagebase: 0x400000
File size: 9046968 bytes
MD5 hash: B4C18286275126D4682C7E336566CB66
Has elevated privileges: true
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
File Activities
File Read
Source
File Path Offset Length Completion Count Address Symbol
C:\Windows\SysWOW64\ntdll.dll unknown 1024 success or wait 1 2A92917 ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 1124864 success or wait 7 2A929DE ReadFile

General

Commandline: 'C:\Users\user\Desktop\UPX0v9WcE6.exe'
Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
File Activities
Source
File Path Access Attributes Options Completion Count Address Symbol
Registry Activities
Key Created
Source
Key Path Completion Count Address Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\pubgame-updater success or wait 1 45D125 RegCreateKeyExW
Key Value Created
Source
Key Path Name Type Data Completion Count Address Symbol
HKEY_CURRENT_USER\Software\Mic Prun unicode "C:\Program Files (x86)\Public success or wait 1 45D125 RegSetValueExW
rosoft\Windows\CurrentVersion\Run Gaming\prun.exe"
HKEY_LOCAL_MACHINE\SYSTEM\Cont CustomSource dword 1 success or wait 1 45D125 RegSetValueExW
rolSet001\Services\EventLog\Application\pubgame-
updater
HKEY_LOCAL_MACHINE\SYSTEM\Cont EventMessageFile expand %SystemRoot%\System32\EventCre success or wait 1 45D125 RegSetValueExW
rolSet001\Services\EventLog\Application\pubgame- unicode ate.exe
updater
HKEY_LOCAL_MACHINE\SYSTEM\Cont TypesSupported dword 7 success or wait 1 45D125 RegSetValueExW
rolSet001\Services\EventLog\Application\pubgame-
updater
Analysis Process: conhost.exe PID: 1908 Parent PID: 956
General

Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase: 0x7ff61de10000
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Reputation: high

General

Commandline: C:\Users\user\Desktop\UPX0v9WcE6.exe
Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
File Activities
File Read
Source
C:\Windows\SysWOW64\ntdll.dll unknown 1024 success or wait 1 15F2917 ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 1124864 success or wait 7 15F29DE ReadFile
Analysis Process: explorer.exe PID: 3440 Parent PID: 5920
General

Path: C:\Windows\explorer.exe
Commandline:
Imagebase: 0x7ff6f22f0000
MD5 hash: AD5296B280E8F522A8A897C96BAB0E1D
Reputation: high
File Activities
Source
File Path Offset Length Value Ascii Completion Count Address Symbol
Source
Registry Activities
Source
General

Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
File Activities
Source
File Written
Source
\Device\ConDrv unknown 7 70 61 6e 69 63 3a 20 panic: success or wait 80 45D125 WriteFile
Source
Registry Activities
Source
Key Path Name Type Old Data New Data Completion Count Address Symbol
General

Reputation: high
General

Commandline: C:\Windows\Explorer.EXE
Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
File Activities
File Read
Source
General

Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
File Activities
File Read
Source
C:\Windows\SysWOW64\ntdll.dll unknown 1024 success or wait 1 15C2917 ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 1124864 success or wait 7 15C29DE ReadFile
General

Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
File Activities
Source

General

Reputation: high
General

Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
File Activities
File Read
Source
General

Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low

File Activities
Source
File Written
Source
Source
General

Reputation: high
General

Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
File Activities
Source
Analysis Process: svchost.exe PID: 3688 Parent PID: 560
General


Path: C:\Windows\System32\svchost.exe
Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase: 0x7ff6b7590000
MD5 hash: 32569E403279B3FD2EDB7EBD036273FA
Reputation: high
File Activities
Source
Source
Source
Registry Activities
Source
Key Path Completion Count Address Symbol
Source
General

Reputation: high
General

Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66

Reputation: low
File Activities
Source
General

Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
File Activities
File Read
Source
C:\Windows\SysWOW64\ntdll.dll unknown 1024 success or wait 1 2932917 ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 1124864 success or wait 7 29329DE ReadFile
General

Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
File Activities
Source
File Written
Source

Source
General

Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Reputation: low
General

Reputation: high
General

General
Imagebase: 0x400000
MD5 hash: B4C18286275126D4682C7E336566CB66
Disassembly
Code Analysis

Id: 377188 Sample Name: Upx0V9Wce6 Cookbook: Default - Jbs Time: 09:09:49 Date: 29/03/2021 Version: 31.0.0 Emerald

Uploaded by

Copyright:

Available Formats

Id: 377188 Sample Name: Upx0V9Wce6 Cookbook: Default - Jbs Time: 09:09:49 Date: 29/03/2021 Version: 31.0.0 Emerald

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Id: 377188 Sample Name: Upx0V9Wce6 Cookbook: Default - Jbs Time: 09:09:49 Date: 29/03/2021 Version: 31.0.0 Emerald

Uploaded by

Copyright:

Available Formats

ID: 377188

Sample Name: UPX0v9WcE6

Copyright Joe Security LLC 2021 Page 3 of 36

Copyright Joe Security LLC 2021 Page 4 of 36

General Information Detection Signatures Classification

Sample UPX0v9WcE6 (renamed

SHA256: Multi AV Scanner

Tags: LTDSERVICESLIMITED signed Creates aamemory

Most interesting Screenshot: Hijacks

Range: 0 - 100 Overwrites

Whitelisted: false PE fileto

No configs have been found

Copyright Joe Security LLC 2021 Page 5 of 36

No Sigma rule has matched

Click to jump to signature section

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

PE file has nameless sections

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Copyright Joe Security LLC 2021 Page 6 of 36

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Writes to foreign memory regions

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network

Copyright Joe Security LLC 2021 Page 7 of 36

Number of created Registry Values 2 other processes

Number of created Files

Visual Basic unknown

injected started started started started

explorer.exe UPX0v9WcE6.exe UPX0v9WcE6.exe .Net C# or VB.NET UPX0v9WcE6.exe UPX0v9WcE6.exe

1 4 1 1 C, C++ or other language 1 1

UPX0v9WcE6.exe UPX0v9WcE6.exe UPX0v9WcE6.exe UPX0v9WcE6.exe conhost.exe conhost.exe conhost.exe conhost.exe

Overwrites code with

UPX0v9WcE6.exe UPX0v9WcE6.exe UPX0v9WcE6.exe

started started started

conhost.exe conhost.exe conhost.exe

Copyright Joe Security LLC 2021 Page 8 of 36

Source Detection Scanner Label Link

Source Detection Scanner Label Link Download

Source Detection Scanner Label Link

Source Detection Scanner Label Link

Copyright Joe Security LLC 2021 Page 10 of 36

Domains and IPs

Name IP Active Malicious Antivirus Detection Reputation

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation

Copyright Joe Security LLC 2021 Page 11 of 36

www.fontbureau.com/designers/frere-jones.html explorer.exe, 00000005.0000000 false high

www.galapagosdesign.com/DPlease explorer.exe, 00000005.0000000 false URL Reputation: safe unknown

No. of IPs < 25%