Edit tour

Windows Analysis Report
app.exe

Overview

General Information

Sample name:	app.exe
Analysis ID:	1436386
MD5:	75b9ef9142a78671d449c8d22ab6be14
SHA1:	0461f1c46644acde8020bb59b53b1e34b65977ca
SHA256:	e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
Tags:	185213208245exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to infect the boot sector

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Queries memory information (via WMI often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

app.exe (PID: 5348 cmdline: "C:\Users\user\Desktop\app.exe" MD5: 75B9EF9142A78671D449C8D22AB6BE14)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: app.exe

Virustotal: Detection: 11%

Perma Link

Machine Learning detection for sample

Source: app.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024404D0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,TlsSetValue,HeapFree,TlsSetValue,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024404C0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,

Source: app.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00427361 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02454B93 FindFirstFileExW,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,

Source: app.exe, 00000000.00000002.2022098881.0000000002300000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: https://POSTHTTP/1.1Content-Type:

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00424B38 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

System Summary

PE file contains section with special chars

Source: app.exe

Static PE information: section name: )m&

PE file has a writeable .text section

Source: app.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024302D0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024377D0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02419E36 AcquireSRWLockExclusive,AcquireSRWLockExclusive,NtDeviceIoControlFile,RtlNtStatusToDosError,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0040A44A: GetCurrentProcess,SetPriorityClass,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_004092DE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00404358
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040941D
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040964F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00407703
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_004077F6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00409A38
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00412AC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00425B56
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00407DBE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00404E54
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00418E0E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F01BB
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024491D2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0242E5F7
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240AA16
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F3ABA
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02441862
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02401E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240BD08
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02410225
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02413224
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02443239
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024272C2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024342F5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241628E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243F340
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D6320
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244430E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244632B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244D3C0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245D3D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024153DD
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FC38E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02453389
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024613BD
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EA020
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02413001
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0242E030
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024420E3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EB090
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3130
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245E16F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241B13B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DA1B0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F11A0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02421180
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DB1F0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245E605
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D2670
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EB695
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02430690
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241C6AE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E771C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E670C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E7754
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3790
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E47F3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02416468
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3400
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F2449
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245F4C2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024274D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024234D6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DE490
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DB4C0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02414544
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244352A
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024085C9
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024485F4
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02408A44
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FBAB0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E3AF8
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02414A88
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02441B40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02412B5E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FDB7B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FEB69
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426B1B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245BB18
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F6B58
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D1B50
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DBB50
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DAB90
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245D844
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240585F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D48A0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DF8EC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02443890
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024298A5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E3962
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D9950
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E799F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02431E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02460E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FAE37
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02427E74
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02419E36
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426ECC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241DEE0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7EF1
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D6EC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426F5B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E2F21
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241CF7C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F3C05
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02420C00
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02407C09
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E2C6E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7C6F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426CC5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02445CD3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7CA3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245DCE6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D2C90
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245FCA7
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02412D42
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02424D4A
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02417D14
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02418D25
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426DD2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02434DD0

Source: C:\Users\user\Desktop\app.exe	Code function: String function: 00416398 appears 132 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0244DE90 appears 33 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 023D3D50 appears 96 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 00416EF8 appears 50 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0245CAF0 appears 158 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0245C9A0 appears 60 times

Source: app.exe, 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs app.exe
Source: app.exe	Binary or memory string: OriginalFilename vs app.exe

Source: app.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: app.exe	Binary string: Could not open \device\physicalmemory
Source: app.exe	Binary string: Could not map view of %X length %XCould not open \device\physicalmemory\device\physicalmemoryRtlNtStatusToDosErrorNtMapViewOfSectionNtOpenSectionNtUnmapViewOfSectionntdll.dllRtlInitUnicodeString%c

Source: classification engine

Classification label: mal76.evad.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_02432A50 GetModuleHandleW,FormatMessageW,GetLastError,HeapFree,

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0040A130 GetVersionExA,CoCreateInstance,CoSetProxyBlanket,VariantInit,lstrlenW,lstrcpynA,WideCharToMultiByte,_strcat,

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00423119 EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Users\user\Desktop\app.exe	Mutant created: \Sessions\1\BaseNamedObjects\hrzbaov

Source: app.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\app.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\app.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: app.exe

Virustotal: Detection: 11%

Source: unknown	Process created: C:\Users\user\Desktop\app.exe "C:\Users\user\Desktop\app.exe"
Source: C:\Users\user\Desktop\app.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\app.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: oledlg.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\app.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: app.exe

Static file information: File size 1290240 > 1048576

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,

Source: app.exe

Static PE information: section name: )m&

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00416398 push eax; ret
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00415460 push eax; ret
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00415460 push eax; ret
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0047EC7F push FFFFFFA1h; retf
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00416F33 push ecx; ret
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024623AD push es; iretd
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245C6A1 push ecx; ret
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02463881 push eax; ret
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0246691F push eax; ret

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,DeviceIoControl,_strcat,_strcat,CloseHandle, \\.\PhysicalDrive%d

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,DeviceIoControl,_strcat,_strcat,CloseHandle, \\.\PhysicalDrive%d

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00401660 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040CFF1 IsIconic,GetWindowPlacement,GetWindowRect,

Source: C:\Users\user\Desktop\app.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\app.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: app.exe, 00000000.00000003.1976771818.0000000000871000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000000.00000002.2021942238.0000000000867000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000000.00000003.2021386733.0000000000864000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000000.00000003.2021401793.0000000000866000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: IDAQ.EXE

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00408FF2 rdtsc

Source: C:\Users\user\Desktop\app.exe

Code function: __EH_prolog,LoadLibraryA,FreeLibrary,GetAdaptersInfo,_strcat,GetAdaptersInfo,

Source: C:\Users\user\Desktop\app.exe

API coverage: 1.8 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00427361 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02454B93 FindFirstFileExW,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0041E91D VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00408FF2 rdtsc

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_024544E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0243D430 GetProcessHeap,RtlAllocateHeap,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0041B198 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0041B1AC SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DEAC0 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,HeapFree,HeapFree,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244E0C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024544E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244DC6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244DDCA SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\app.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00409127 cpuid

Source: C:\Users\user\Desktop\app.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,
Source: C:\Users\user\Desktop\app.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\app.exe	Code function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0041C882 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00415DDE EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Bootkit	1 Process Injection	1 Disable or Modify Tools	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	33 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Bootkit	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
app.exe	11%	ReversingLabs
app.exe	11%	Virustotal	Browse
app.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://POSTHTTP/1.1Content-Type:	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://POSTHTTP/1.1Content-Type:	app.exe, 00000000.00000002.2022098881.0000000002300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436386
Start date and time:	2024-05-05 00:18:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 46s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	app.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@2/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.441704402192102
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	app.exe
File size:	1'290'240 bytes
MD5:	75b9ef9142a78671d449c8d22ab6be14
SHA1:	0461f1c46644acde8020bb59b53b1e34b65977ca
SHA256:	e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
SHA512:	14ef889f580c02e319b6d9d899ddbd1bd523c1d8b493eab8b98da6d3d276d76efb9b5694759df7d68bb9d002a8ace8fc82d22121a7b4ea236d5f9cef38cc809c
SSDEEP:	24576:CIFxe+AY3rqYsavMOQdbac5IQH97wiI3dzAr09UDZ5YUD8:1xeSNR0vbac5/d8P3diDZ6q
TLSH:	8255CF05F3D2B8B1D15192772DC96161B6ED993048D83F0732D0EE5E1B3B9A6B40FE2A
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........P(..>{..>{..>{?.c{..>{v..{..>{...{..>{f."{..>{e."{..>{F.'{..>{..?{..>{F.~{..>{F."{&.>{...{..>{..5{..>{..^{..>{F.#{..>{F.{{..>

File Icon


Icon Hash:	0f4ecda7ae5d1715

Static PE Info

General

Entrypoint:	0x415dde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x500F9507 [Wed Jul 25 06:41:11 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	26600adf486f72b556f917a64c8fd23f

Entrypoint Preview

Instruction
push 00000060h
push 0043A478h
call 00007FD5D0B6F503h
mov edi, 00000094h
mov eax, edi
call 00007FD5D0B6DA5Fh
mov dword ptr [ebp-18h], esp
mov esi, esp
mov dword ptr [esi], edi
push esi
call dword ptr [0042F2B4h]
mov ecx, dword ptr [esi+10h]
mov dword ptr [0044B190h], ecx
mov eax, dword ptr [esi+04h]
mov dword ptr [0044B19Ch], eax
mov edx, dword ptr [esi+08h]
mov dword ptr [0044B1A0h], edx
mov esi, dword ptr [esi+0Ch]
and esi, 00007FFFh
mov dword ptr [0044B194h], esi
cmp ecx, 02h
je 00007FD5D0B6E3FEh
or esi, 00008000h
mov dword ptr [0044B194h], esi
shl eax, 08h
add eax, edx
mov dword ptr [0044B198h], eax
xor esi, esi
push esi
mov edi, dword ptr [0042F20Ch]
call edi
cmp word ptr [eax], 5A4Dh
jne 00007FD5D0B6E411h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007FD5D0B6E404h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007FD5D0B6E411h
cmp eax, 0000020Bh
je 00007FD5D0B6E3F7h
mov dword ptr [ebp-1Ch], esi
jmp 00007FD5D0B6E419h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007FD5D0B6E3E4h
xor eax, eax
cmp dword ptr [ecx+000000F8h], esi
jmp 00007FD5D0B6E400h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007FD5D0B6E3D4h
xor eax, eax
cmp dword ptr [ecx+000000E8h], esi
setne al
mov dword ptr [ebp-1Ch], eax

Rich Headers

Programming Language:

[ASM] VS2002 (.NET) build 9466
[ C ] VS2002 (.NET) build 9466
[C++] VS2003 (.NET) build 3077
[C++] VS2002 (.NET) build 9466
[RES] VS2002 (.NET) build 9466
[LNK] VS2002 (.NET) build 9466

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3f924	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x2f5f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2f000	0x594	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2db32	0x2e000	7868e2f41e5b3ab908ac5a72a66f5953	False	0.6095076851222826	data	6.670624963209676	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x2f000	0x126c6	0x13000	efd458d4cde7206fd4c5482997a30ba9	False	0.4482421875	data	5.736665908168061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x42000	0xa9f4	0x4000	07b79e131c84ddfb0842641915843ec1	False	0.4459228515625	data	5.072911159589167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0x2f5f0	0x30000	2686df77c23e2ca3144ababd1a5e1501	False	0.2823994954427083	data	4.484521144858898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
)m&	0x7d000	0xc5000	0xc5000	acab40631ef6f655b384348be6aac2b9	False	0.841724996034264	data	7.775469163423906	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
JPG	0x4f2b0	0x2b1e6	PC bitmap, Windows 3.x format, 635 x 276 x 8, cbSize 176614, bits offset 1078	Chinese	China	0.27774128891254374
RT_CURSOR	0x7a498	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x7a5d0	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_CURSOR	0x7a6b0	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.36363636363636365
RT_CURSOR	0x7a800	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Chinese	China	0.35714285714285715
RT_CURSOR	0x7a950	0x134	data	Chinese	China	0.37337662337662336
RT_CURSOR	0x7aaa0	0x134	data	Chinese	China	0.37662337662337664
RT_CURSOR	0x7abf0	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Chinese	China	0.36688311688311687
RT_CURSOR	0x7ad40	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x7ae90	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Chinese	China	0.36688311688311687
RT_CURSOR	0x7afe0	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Chinese	China	0.38636363636363635
RT_CURSOR	0x7b130	0x134	data	Chinese	China	0.44155844155844154
RT_CURSOR	0x7b280	0x134	data	Chinese	China	0.4155844155844156
RT_CURSOR	0x7b3d0	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.5422077922077922
RT_CURSOR	0x7b520	0x134	data	Chinese	China	0.2662337662337662
RT_CURSOR	0x7b670	0x134	data	Chinese	China	0.2824675324675325
RT_CURSOR	0x7b7c0	0x134	data	Chinese	China	0.3246753246753247
RT_BITMAP	0x7b9f8	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x7bab0	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x4db70	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.6042418772563177
RT_ICON	0x4e430	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.6042418772563177
RT_DIALOG	0x4ecf0	0x23e	data	Chinese	China	0.5174216027874564
RT_DIALOG	0x4ef30	0x94	data	Chinese	China	0.6959459459459459
RT_DIALOG	0x7b910	0xe2	data	Chinese	China	0.6637168141592921
RT_STRING	0x7bbf8	0x46	data	Chinese	China	0.6857142857142857
RT_STRING	0x7bc40	0x54	data	Chinese	China	0.8571428571428571
RT_STRING	0x7bc98	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x7bcc8	0x74	data	Chinese	China	0.8448275862068966
RT_STRING	0x7bd40	0x1d0	data	Chinese	China	0.8060344827586207
RT_STRING	0x7c088	0x164	data	Chinese	China	0.48314606741573035
RT_STRING	0x7bf50	0x132	data	Chinese	China	0.6405228758169934
RT_STRING	0x7c570	0x50	data	Chinese	China	0.725
RT_STRING	0x7bf10	0x40	data	Chinese	China	0.65625
RT_STRING	0x7c4d8	0x6a	data	Chinese	China	0.7452830188679245
RT_STRING	0x7c1f0	0x1d6	data	Chinese	China	0.6723404255319149
RT_STRING	0x7c3c8	0x110	data	Chinese	China	0.625
RT_STRING	0x7c548	0x24	data	Chinese	China	0.4444444444444444
RT_STRING	0x7c5c0	0x30	data	Chinese	China	0.625
RT_GROUP_CURSOR	0x7a688	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_CURSOR	0x7ae78	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7a7e8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7ad28	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7abd8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b508	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7aa88	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b118	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7a938	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7afc8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b268	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b3b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b658	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b7a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b8f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_ICON	0x4e418	0x14	data	Chinese	China	1.15
RT_GROUP_ICON	0x4ecd8	0x14	data	Chinese	China	1.25
RT_VERSION	0x4efc8	0x2e8	data	Chinese	China	0.5631720430107527

Imports

DLL	Import
KERNEL32.dll	LockFile, UnlockFile, SetEndOfFile, DuplicateHandle, FindClose, FindFirstFileA, GetFullPathNameA, GetCPInfo, GetOEMCP, FileTimeToSystemTime, SetErrorMode, FileTimeToLocalFileTime, GetFileAttributesA, GetFileTime, GetTickCount, HeapAlloc, HeapFree, RtlUnwind, GetStartupInfoA, GetCommandLineA, RaiseException, GetSystemTimeAsFileTime, ExitProcess, TerminateProcess, HeapReAlloc, HeapSize, FlushFileBuffers, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, GetCurrentProcessId, LCMapStringA, LCMapStringW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, VirtualProtect, GetSystemInfo, VirtualQuery, SetStdHandle, SetEnvironmentVariableA, SetFilePointer, GlobalFlags, WritePrivateProfileStringA, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, GlobalDeleteAtom, lstrcmpA, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, SetLastError, GlobalFree, MulDiv, GlobalAlloc, GlobalLock, GlobalUnlock, GetModuleHandleA, GetProcAddress, FormatMessageA, LocalFree, CopyFileA, GetCurrentDirectoryA, FreeResource, OpenFile, GetCurrentProcess, SetPriorityClass, lstrcpynA, DeviceIoControl, ReadFile, GetFileSize, GetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetSystemDirectoryA, CreateFileA, WriteFile, CloseHandle, DeleteFileA, GetModuleFileNameA, LoadLibraryA, FreeLibrary, GetVolumeInformationA, OutputDebugStringA, DebugBreak, InterlockedIncrement, InterlockedDecrement, FindResourceA, LoadResource, LockResource, SizeofResource, lstrlenA, lstrcmpiA, CompareStringW, lstrlenW, CompareStringA, GetVersion, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, HeapDestroy, InterlockedExchange
USER32.dll	InvalidateRgn, SetCapture, ReleaseCapture, GetNextDlgGroupItem, MessageBeep, RegisterClipboardFormatA, PostThreadMessageA, GetForegroundWindow, GetTopWindow, UnhookWindowsHookEx, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSysColor, AdjustWindowRectEx, EqualRect, GetClassInfoA, RegisterClassA, UnregisterClassA, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, CopyRect, PtInRect, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, EndPaint, DestroyWindow, IsWindow, InvalidateRect, GetNextDlgTabItem, EndDialog, SetMenuItemBitmaps, GetFocus, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetParent, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, SetCursor, PostMessageA, PostQuitMessage, wsprintfA, GetMenuState, GetMenuItemID, GetMenuItemCount, CharLowerA, CharUpperA, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GetSubMenu, MessageBoxA, CharNextA, wvsprintfA, GetSystemMetrics, LoadIconA, EnableWindow, GetClientRect, IsIconic, GetSystemMenu, SendMessageA, AppendMenuA, CopyAcceleratorTableA, SetRect, IsRectEmpty, DrawIcon, LoadCursorA, GetDlgItem, GetSysColorBrush, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, DestroyMenu, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, SetFocus, IsChild, GetWindowTextLengthA, CreateDialogIndirectParamA, GetWindowTextA, GetMessageTime
GDI32.dll	SetMapMode, DeleteObject, GetViewportExtEx, GetWindowExtEx, PtVisible, RectVisible, TextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, GetStockObject, GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetDeviceCaps
comdlg32.dll	GetFileTitleA
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesA, OpenPrinterA
ADVAPI32.dll	RegEnumKeyA, RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegCloseKey, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA
COMCTL32.dll
SHLWAPI.dll	PathFindExtensionA, PathFindFileNameA, PathStripToRootA, PathIsUNCA
oledlg.dll
ole32.dll	CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoTaskMemAlloc, OleInitialize, OleUninitialize, CoTaskMemFree, CoCreateInstance, CoSetProxyBlanket, CoInitialize, CoUninitialize, CoRevokeClassObject, OleIsCurrentClipboard, OleFlushClipboard, CoFreeUnusedLibraries, CoRegisterMessageFilter
OLEAUT32.dll	VariantInit, SysAllocStringLen, VariantClear, VariantChangeType, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, SystemTimeToVariantTime, SafeArrayDestroy, VariantCopy, SysAllocString, SysFreeString
iphlpapi.dll	GetAdaptersInfo
OLEACC.dll	LresultFromObject, CreateStdAccessibleObject

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Target ID:	0
Start time:	00:18:52
Start date:	05/05/2024
Path:	C:\Users\user\Desktop\app.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\app.exe"
Imagebase:	0x400000
File size:	1'290'240 bytes
MD5 hash:	75B9EF9142A78671D449C8D22AB6BE14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Analysis Process: conhost.exePID: 6568, Parent PID: 5348

General

Target ID:	1
Start time:	00:18:52
Start date:	05/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report app.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: app.exePID: 5348, Parent PID: 1028

General

Analysis Process: conhost.exePID: 6568, Parent PID: 5348

General

Disassembly

Windows Analysis Report
app.exe