Edit tour

Windows Analysis Report
splash.exe

Overview

General Information

Sample name:	splash.exe
Analysis ID:	1392004
MD5:	1d6f912aff2d1cafe1c9c705d5b9c784
SHA1:	ba4a1d67305f8522ef39e4d28ae23caeccab84e4
SHA256:	1be5fe98c289fbf7a6e5aae8e5e272839831e8aa6948202c2e1570f1460f30ab
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Queries keyboard layouts

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key

Process Tree

System is w10x64

splash.exe (PID: 7116 cmdline: C:\Users\user\Desktop\splash.exe MD5: 1D6F912AFF2D1CAFE1C9C705D5B9C784)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: splash.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: splash.exe

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Source: splash.exe, 00000000.00000002.2880519167.0000000003FA1000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs splash.exe

Source: C:\Users\user\Desktop\splash.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: splash.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\splash.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\splash.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: splash.exe, 00000000.00000000.1610936281.000000000041B000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT D.RDB$CHARACTER_SET_NAME, CS.RDB$DEFAULT_COLLATE_NAME, CS.RDB$CHARACTER_SET_ID, CS.RDB$BYTES_PER_CHARACTER FROM RDB$DATABASE D LEFT JOIN RDB$CHARACTER_SETS CS on D.RDB$CHARACTER_SET_NAME = CS.RDB$CHARACTER_SET_NAME; U
Source: splash.exe, 00000000.00000000.1610936281.000000000041B000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: select * from encodings;U

Source: C:\Users\user\Desktop\splash.exe

File read: C:\Users\user\Desktop\splash.exe

Jump to behavior

Source: C:\Users\user\Desktop\splash.exe

Window found: window name: TButton

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: splash.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: splash.exe

Static file information: File size 4264448 > 1048576

Source: splash.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x39e400

Source: splash.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\splash.exe

Code function: 0_2_0040DE18 push ecx; mov dword ptr [esp], edx

0_2_0040DE19

Source: C:\Users\user\Desktop\splash.exe

Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\splash.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\splash.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\Desktop\splash.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\Desktop\splash.exe

Code function: 0_2_0040DC84 GetSystemInfo,

0_2_0040DC84

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
splash.exe	0%	ReversingLabs
splash.exe	1%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1392004
Start date and time:	2024-02-14 09:51:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	splash.exe
Detection:	CLEAN
Classification:	clean4.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.565892881678606
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	splash.exe
File size:	4'264'448 bytes
MD5:	1d6f912aff2d1cafe1c9c705d5b9c784
SHA1:	ba4a1d67305f8522ef39e4d28ae23caeccab84e4
SHA256:	1be5fe98c289fbf7a6e5aae8e5e272839831e8aa6948202c2e1570f1460f30ab
SHA512:	449000830230eaccb291d10e5fdfa7b16c6bcd903d5b5ab2e052c337776e4b61afe5ba726c32e561322883b71741d92316fc1d61f303b7740e9473fbb2cefc19
SSDEEP:	49152:rh5bF2hlaG8VE2bKSo+JeSU4iMGHDSP072IjoNpe5pFXLBOWVY4Ddl16wof+kQlQ:rh5bFHEeK1DSPejo0L0EY4qJpEQ
TLSH:	CE165B13B288643ED0661A3A4D7BD3945D3FBA602A26DC5B7BF4494C0F35580BE3E61B
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	dbe365646461d38a

Static PE Info

General

Entrypoint:	0x7a24e0
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x5DB7D44E [Tue Oct 29 05:55:26 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	95de56d585980467c1773c18727cbe59

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00794A30h
call 00007FD9CC4829E9h
mov eax, dword ptr [007AAF58h]
mov eax, dword ptr [eax]
call 00007FD9CC631581h
mov eax, 007A253Ch
call 00007FD9CC646E03h
mov ecx, dword ptr [007AB2D8h]
mov eax, dword ptr [007AAF58h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00791E54h]
call 00007FD9CC631577h
mov eax, dword ptr [007AAF58h]
mov eax, dword ptr [eax]
call 00007FD9CC6316CFh
call 00007FD9CC47D1A6h
add byte ptr [eax-00FFFDFCh], dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b2000	0x3c2e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40d000	0xfe00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b9000	0x537b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3b8000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3b2ae4	0x940	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3b6000	0x9d6	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x39e3f0	0x39e400	6de086eb4882fa25a6cbc3f806906a93	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x3a0000	0x254c	0x2600	2a623ed04793f3927d0f9f6e1d623110	False	0.49054276315789475	data	6.403439124061819	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3a3000	0x8314	0x8400	d51ec02d184525d58df3cb8c075369f2	False	0.41962594696969696	data	5.3801148768960685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x3ac000	0x58e0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x3b2000	0x3c2e	0x3e00	af5b00364ae8149e553ed64a8fc12596	False	0.3019153225806452	data	5.068942393992681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x3b6000	0x9d6	0xa00	e1601193ba7476df83411389bbc8e0ab	False	0.357421875	data	4.112282022843754	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3b7000	0x44	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x3b8000	0x18	0x200	e8ddacb15a62ba6da149b08819b43893	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b9000	0x537b8	0x53800	8e0f64e6d515df9e340fe9cb11246494	False	0.5505356474550899	data	6.709457346099265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x40d000	0xfe00	0xfe00	7c1db2363a7c76559b2879824ee7f993	False	0.27376045767716534	data	4.300972069370853	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x40e078	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x40e1ac	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x40e2e0	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x40e414	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x40e548	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x40e67c	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x40e7b0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x40e8e4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x40eab4	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x40ec98	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x40ee68	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x40f038	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x40f208	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x40f3d8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x40f5a8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x40f778	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x40f948	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x40fb18	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_ICON	0x40fc00	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5447976878612717
RT_ICON	0x410168	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.19223826714801445
RT_DIALOG	0x410a10	0x52	data			0.7682926829268293
RT_DIALOG	0x410a64	0x52	data			0.7560975609756098
RT_STRING	0x410ab8	0x520	data			0.3879573170731707
RT_STRING	0x410fd8	0x530	data			0.42168674698795183
RT_STRING	0x411508	0x380	data			0.41294642857142855
RT_STRING	0x411888	0x3a8	data			0.3696581196581197
RT_STRING	0x411c30	0x3a8	data			0.38675213675213677
RT_STRING	0x411fd8	0x4c0	data			0.3470394736842105
RT_STRING	0x412498	0x4b8	data			0.38162251655629137
RT_STRING	0x412950	0x49c	data			0.3576271186440678
RT_STRING	0x412dec	0x56c	data			0.2989913544668588
RT_STRING	0x413358	0x370	data			0.37386363636363634
RT_STRING	0x4136c8	0x50c	data			0.42879256965944273
RT_STRING	0x413bd4	0x6e0	data			0.31988636363636364
RT_STRING	0x4142b4	0x4bc	data			0.3943894389438944
RT_STRING	0x414770	0x538	data			0.35778443113772457
RT_STRING	0x414ca8	0x59c	data			0.334958217270195
RT_STRING	0x415244	0x67c	data			0.26867469879518074
RT_STRING	0x4158c0	0x4ac	data			0.387123745819398
RT_STRING	0x415d6c	0x3e4	data			0.31224899598393574
RT_STRING	0x416150	0x30c	data			0.48333333333333334
RT_STRING	0x41645c	0x3e4	data			0.4146586345381526
RT_STRING	0x416840	0xcc	data			0.6813725490196079
RT_STRING	0x41690c	0x11c	data			0.6267605633802817
RT_STRING	0x416a28	0x2b8	data			0.45689655172413796
RT_STRING	0x416ce0	0x5a0	data			0.32569444444444445
RT_STRING	0x417280	0x538	data			0.37350299401197606
RT_STRING	0x4177b8	0x504	data			0.3302180685358255
RT_STRING	0x417cbc	0x3c0	data			0.40520833333333334
RT_STRING	0x41807c	0x498	data			0.3562925170068027
RT_STRING	0x418514	0x5bc	data			0.36239782016348776
RT_STRING	0x418ad0	0x5e0	data			0.32180851063829785
RT_STRING	0x4190b0	0x478	data			0.36363636363636365
RT_STRING	0x419528	0x584	data			0.35410764872521244
RT_STRING	0x419aac	0x258	data			0.39
RT_STRING	0x419d04	0xac	StarOffice Gallery theme \344, 117469696 objects, 1st t			0.6337209302325582
RT_STRING	0x419db0	0x164	data			0.5449438202247191
RT_STRING	0x419f14	0x3c4	data			0.43568464730290457
RT_STRING	0x41a2d8	0x5c0	data			0.29008152173913043
RT_STRING	0x41a898	0x38c	data			0.43502202643171806
RT_STRING	0x41ac24	0x36c	data			0.4269406392694064
RT_RCDATA	0x41af90	0x10	data			1.5
RT_RCDATA	0x41afa0	0x105c	data			0.4512893982808023
RT_RCDATA	0x41bffc	0x2	data	English	United States	5.0
RT_RCDATA	0x41c000	0x6db	Delphi compiled form 'TfrmUpdateMain'			0.3749287749287749
RT_GROUP_CURSOR	0x41c6dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x41c6f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x41c704	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c718	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c72c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c740	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c754	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x41c768	0x22	data	English	United States	0.9705882352941176
RT_VERSION	0x41c78c	0x140	MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79	English	United States	0.55
RT_MANIFEST	0x41c8cc	0x242	XML 1.0 document, ASCII text, with CRLF line terminators	German	Germany	0.5397923875432526
RT_MANIFEST	0x41cb10	0x2ca	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5028011204481793

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	MessageBoxA, CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, lstrcpynW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, SetCurrentDirectoryW, GetCurrentDirectoryW, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, CharLowerBuffA, CharUpperBuffA, CharToOemBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, UnmapViewOfFile, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, SearchPathA, ResumeThread, ResetEvent, ReleaseMutex, ReadFile, RaiseException, IsDebuggerPresent, OpenProcess, OpenFileMappingW, MulDiv, MapViewOfFile, LockResource, LocalFree, LoadResource, LoadLibraryA, LoadLibraryW, LeaveCriticalSection, IsValidLocale, IsDBCSLeadByte, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetSystemTimes, GetSystemDefaultLCID, GetStdHandle, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleA, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileA, FindFirstFileW, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, FatalAppExitA, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateProcessW, CreatePipe, CreateMutexA, CreateFileMappingW, CreateFileW, CreateEventW, CompareStringA, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExA, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExA, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey, OpenThreadToken, OpenProcessToken, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoGetMalloc, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
shell32.dll	ShellExecuteW, Shell_NotifyIconW
comdlg32.dll	GetOpenFileNameW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
German	Germany

• splash.exe

Click to jump to process

Memory Usage

• splash.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	09:51:49
Start date:	14/02/2024
Path:	C:\Users\user\Desktop\splash.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\splash.exe
Imagebase:	0x400000
File size:	4'264'448 bytes
MD5 hash:	1D6F912AFF2D1CAFE1C9C705D5B9C784
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.3%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 0040DC84 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 0040DC88

Memory Dump Source

Source File: 00000000.00000002.2874868239.000000000040D000.00000040.00000001.01000000.00000003.sdmp, Offset: 0040D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40d000_splash.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 03be8272adcec84587fb680d46cbf66215f19bd3d124daa57321af8cf96470f6
Instruction ID: ab465e1d12aaf1621e823fa79fd441c6875617633ec413f9b9e9586c3460d472
Opcode Fuzzy Hash: 03be8272adcec84587fb680d46cbf66215f19bd3d124daa57321af8cf96470f6
Instruction Fuzzy Hash: BCA012504094000AC444B7294C4340F31801DC1514FC40225745CB52C2E619856443DB

Uniqueness

Uniqueness Score: -1.00%

Function 00424EAA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 00424EBD

Strings

{, xrefs: 00424F27
, xrefs: 00424F07

Memory Dump Source

Source File: 00000000.00000002.2874886485.0000000000424000.00000040.00000001.01000000.00000003.sdmp, Offset: 00424000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_424000_splash.jbxd

Similarity

API ID: AttributesFile
String ID: ${
API String ID: 3188754299-4046706400
Opcode ID: f295e20d358cdc4997aef3aef0cb5c0557710e3e77c75bcd0a85ce439dc08935
Instruction ID: 396f83e6484cd521bcaf67aa58f99ee58a1af3961ad67c95e6414c6bdb891542
Opcode Fuzzy Hash: f295e20d358cdc4997aef3aef0cb5c0557710e3e77c75bcd0a85ce439dc08935
Instruction Fuzzy Hash: 7F01D8353253B035EA3520793F867BB4585CBC27A8FBB0917F951D62E1D18D4C93112E

Uniqueness

Uniqueness Score: -1.00%

Function 00424E1C Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,?,?), ref: 00424E3E

Memory Dump Source

Source File: 00000000.00000002.2874886485.0000000000424000.00000040.00000001.01000000.00000003.sdmp, Offset: 00424000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_424000_splash.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d75dac4184f4f2d9cf9b89d83c35001d28d87b2e55c3b4a5f391358c10284337
Instruction ID: 80f8d11baebe0a4d20885d47892e30a4b7ae81e44b4c0dfa957540e2ae617548
Opcode Fuzzy Hash: d75dac4184f4f2d9cf9b89d83c35001d28d87b2e55c3b4a5f391358c10284337
Instruction Fuzzy Hash: 23F0BD75904218AF9B10DBA899819DEB7B8EB48270F204256A964E32C0E6709E409754

Uniqueness

Uniqueness Score: -1.00%

Function 00424CA8 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000), ref: 00424CF7

Memory Dump Source

Source File: 00000000.00000002.2874886485.0000000000424000.00000040.00000001.01000000.00000003.sdmp, Offset: 00424000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_424000_splash.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 118e18c520cf3b236d65d2c343f1e34ed7f5b2cc09ac484c0683fbad383afc26
Instruction ID: 024b2a3f083aeb4ad1a3f9898b29fd419935976f4b624681457736e90f04fa8a
Opcode Fuzzy Hash: 118e18c520cf3b236d65d2c343f1e34ed7f5b2cc09ac484c0683fbad383afc26
Instruction Fuzzy Hash: CDE022B2B405202AF22069AEEC81F0B614DC7C2B75F4B4232F601EB2D2C0ACDC0182AC

Uniqueness

Uniqueness Score: -1.00%

Function 00424D52 Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00424D68

Memory Dump Source

Source File: 00000000.00000002.2874886485.0000000000424000.00000040.00000001.01000000.00000003.sdmp, Offset: 00424000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_424000_splash.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: baa86a772da2ebef7f7947b1af1ac1bd3254dae8349757f2816525d023a17cba
Instruction ID: 52c4581654f970477ce2546814d71d6605f16a713bfe76a781c2c5bb0ff33272
Opcode Fuzzy Hash: baa86a772da2ebef7f7947b1af1ac1bd3254dae8349757f2816525d023a17cba
Instruction Fuzzy Hash: 0FD012B23181507AE220956E6D44EBB5ADCCBC5770F11063AB558C2181D7608C018375

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report splash.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: splash.exePID: 7116, Parent PID: 2580

General

File Activities

File Opened

File Read

File Attributes Queried

Other File Operations

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Windows Analysis Report
splash.exe

Function 0040DC84 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00424EAA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Function 00424E1C Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Function 00424CA8 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Function 00424D52 Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON