Windows
Analysis Report
NtpService.exe
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
NtpService.exe (PID: 5416 cmdline:
"C:\Users\ user\Deskt op\NtpServ ice.exe" MD5: 9200C356B485CA61EC88258F0800657A)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF639C31000 | |
Source: | Code function: | 0_2_00007FF639C31610 | |
Source: | Code function: | 0_2_00007FF639C31DD0 | |
Source: | Code function: | 0_2_00007FF639C31FC0 | |
Source: | Code function: | 0_2_00007FF639C31C70 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF639C3606A |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-167 | ||
Source: | API call chain: | graph_0-171 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
47% | ReversingLabs | Win64.Trojan.Ulise | ||
66% | Virustotal | Browse | ||
100% | Avira | TR/Agent_AGen.uznno |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1448269 |
Start date and time: | 2024-05-28 07:47:11 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 51s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | NtpService.exe |
Detection: | MAL |
Classification: | mal56.winEXE@1/0@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded IPs from analysis (whitelisted): 131.107.255.255
- Excluded domains from analysis (whitelisted): act0.microsoft.com, dns.msftncsi.com
File type: | |
Entropy (8bit): | 3.3721059731523857 |
TrID: |
|
File name: | NtpService.exe |
File size: | 79'360 bytes |
MD5: | 9200c356b485ca61ec88258f0800657a |
SHA1: | dc76c7586e1946ac120111d3a35937526a7cf140 |
SHA256: | d9a8151aff9d1c061826a9812ed9a6600805c74a519df333513fd4a79d2d4e61 |
SHA512: | 0e4df7af26defdb827c91569a670dd3e028927a06df5d983eaebf48c791817d7b70effe9167cc05c1075f9cc3f614f22c67d8e01caee5da9ac458f546f233316 |
SSDEEP: | 768:nBF+RdnVwyLDU8uoB/qW1cGerHyKvu1YbTgocJU:BkfPL1cvrHyKvu1M |
TLSH: | 93731C836680917FD9DEF6365806B9A6579A3C0DC998331DF3E072F9DC35E403A902A7 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;..d...............%.......................@....................................u.....`... ............................ |
Icon Hash: | 4cf4eb164f4c311f |
Entrypoint: | 0x140001000 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x64DCFE3B [Wed Aug 16 16:50:03 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | c780720f489db1bb1bd4cd626443ef53 |
Instruction |
---|
inc ecx |
push edi |
inc ecx |
push esi |
inc ecx |
push ebp |
inc ecx |
push esp |
push ebp |
push edi |
push esi |
push ebx |
dec eax |
sub esp, 00000658h |
movaps esp+00000630h, dqword ptr [xmm6] |
movaps esp+00000640h, dqword ptr [xmm7] |
dec eax |
lea edi, dword ptr [esp+00000090h] |
dec eax |
lea edx, dword ptr [esp+00000158h] |
dec eax |
mov eax, edi |
nop word ptr [eax+eax+00000000h] |
dec eax |
mov dword ptr [eax], 00000000h |
dec eax |
add eax, 08h |
dec eax |
cmp edx, eax |
jne 00007FE2C8F7F7B2h |
dec eax |
mov eax, dword ptr [00003259h] |
xor ecx, ecx |
dec eax |
lea esi, dword ptr [esp+00000270h] |
mov dword ptr [esp+00000160h], 00000020h |
dec eax |
mov edx, esi |
inc ecx |
mov eax, 00000104h |
dec eax |
mov dword ptr [esp+00000158h], eax |
call dword ptr [00006075h] |
xor edx, edx |
cmp byte ptr [esp+00000270h], 00000000h |
je 00007FE2C8F7F7CDh |
nop |
dec eax |
add edx, 01h |
cmp byte ptr [esi+edx], 00000000h |
jne 00007FE2C8F7F7B8h |
dec eax |
mov ecx, esi |
call dword ptr [00006085h] |
movzx edx, byte ptr [esp+00000270h] |
test dl, dl |
je 00007FE2C8F7FD0Ch |
xor ebp, ebp |
dec eax |
mov eax, esi |
nop dword ptr [eax+eax+00000000h] |
cmp dl, 0000005Ch |
dec eax |
cmove ebp, eax |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7000 | 0x298 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8000 | 0x10cc8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x5000 | 0x48 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x70d8 | 0x88 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1340 | 0x1400 | 2451f6e1c4c86208c4269faab8deb290 | False | 0.623046875 | data | 6.081103037544234 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x3000 | 0x10 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x4000 | 0x4c0 | 0x600 | 8a9f0263c2b30544bcc92447d953ee60 | False | 0.6868489583333334 | data | 5.6294295482462005 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.pdata | 0x5000 | 0x48 | 0x200 | 6e586a795f4d7edab0473afeabeb824e | False | 0.130859375 | data | 0.619376959528734 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.xdata | 0x6000 | 0x7c | 0x200 | 4e63e5341f0901762c553edc6730ae46 | False | 0.197265625 | data | 1.7704887322851404 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.idata | 0x7000 | 0x298 | 0x400 | 9deaaf603c81764623999dfaececea95 | False | 0.3017578125 | data | 2.527998666694306 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x8000 | 0x10cc8 | 0x10e00 | a82b568dfc29ec1ef92ac026a5a2f796 | False | 0.08153935185185185 | data | 2.869919907826146 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x80e8 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m | English | United States | 0.07618596947829173 |
RT_GROUP_ICON | 0x18910 | 0x14 | data | English | United States | 1.15 |
RT_VERSION | 0x18928 | 0x39c | data | English | United States | 0.40476190476190477 |
DLL | Import |
---|---|
KERNEL32.dll | CloseHandle, CreateFileA, ExitProcess, GetFileSize, GetModuleFileNameA, ReadFile, SetCurrentDirectoryA, VirtualAlloc, VirtualProtect |
USER32.dll | CharUpperBuffA |
WS2_32.dll | WSAStartup, getaddrinfo, select, socket |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 28, 2024 07:48:08.628968000 CEST | 53 | 53212 | 1.1.1.1 | 192.168.2.5 |
Target ID: | 0 |
Start time: | 01:48:02 |
Start date: | 28/05/2024 |
Path: | C:\Users\user\Desktop\NtpService.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff639c30000 |
File size: | 79'360 bytes |
MD5 hash: | 9200C356B485CA61EC88258F0800657A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 81.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 90.9% |
Total number of Nodes: | 33 |
Total number of Limit Nodes: | 6 |
Graph
Callgraph
Function 00007FF639C31000 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 346networkCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF639C31610 Relevance: .4, Instructions: 394COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF639C31FC0 Relevance: .2, Instructions: 183COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF639C31DD0 Relevance: .1, Instructions: 130COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF639C31C70 Relevance: .1, Instructions: 107COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|