Edit tour
Windows
Analysis Report
NtpService.exe
Overview
General Information
| Sample name: | NtpService.exe |
| Analysis ID: | 1448269 |
| MD5: | 9200c356b485ca61ec88258f0800657a |
| SHA1: | dc76c7586e1946ac120111d3a35937526a7cf140 |
| SHA256: | d9a8151aff9d1c061826a9812ed9a6600805c74a519df333513fd4a79d2d4e61 |
| Tags: | exe |
| Infos: | |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
NtpService.exe (PID: 5416 cmdline: "C:\Users\ user\Deskt op\NtpServ ice.exe" MD5: 9200C356B485CA61EC88258F0800657A)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF639C31000 | |
| Source: | Code function: | 0_2_00007FF639C31610 | |
| Source: | Code function: | 0_2_00007FF639C31DD0 | |
| Source: | Code function: | 0_2_00007FF639C31FC0 | |
| Source: | Code function: | 0_2_00007FF639C31C70 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF639C3606A | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-167 | ||
| Source: | API call chain: | graph_0-171 | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 47% | ReversingLabs | Win64.Trojan.Ulise | ||
| 66% | Virustotal | Browse | ||
| 100% | Avira | TR/Agent_AGen.uznno |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1448269 |
| Start date and time: | 2024-05-28 07:47:11 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 51s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 2 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | NtpService.exe |
| Detection: | MAL |
| Classification: | mal56.winEXE@1/0@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded IPs from analysis (whitelisted): 131.107.255.255
- Excluded domains from analysis (whitelisted): act0.microsoft.com, dns.msftncsi.com
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 3.3721059731523857 |
| TrID: |
|
| File name: | NtpService.exe |
| File size: | 79'360 bytes |
| MD5: | 9200c356b485ca61ec88258f0800657a |
| SHA1: | dc76c7586e1946ac120111d3a35937526a7cf140 |
| SHA256: | d9a8151aff9d1c061826a9812ed9a6600805c74a519df333513fd4a79d2d4e61 |
| SHA512: | 0e4df7af26defdb827c91569a670dd3e028927a06df5d983eaebf48c791817d7b70effe9167cc05c1075f9cc3f614f22c67d8e01caee5da9ac458f546f233316 |
| SSDEEP: | 768:nBF+RdnVwyLDU8uoB/qW1cGerHyKvu1YbTgocJU:BkfPL1cvrHyKvu1M |
| TLSH: | 93731C836680917FD9DEF6365806B9A6579A3C0DC998331DF3E072F9DC35E403A902A7 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;..d...............%.......................@....................................u.....`... ............................ |
 | |
| Icon Hash: | 4cf4eb164f4c311f |
| Entrypoint: | 0x140001000 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x64DCFE3B [Wed Aug 16 16:50:03 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | c780720f489db1bb1bd4cd626443ef53 |
| Instruction |
|---|
| inc ecx |
| push edi |
| inc ecx |
| push esi |
| inc ecx |
| push ebp |
| inc ecx |
| push esp |
| push ebp |
| push edi |
| push esi |
| push ebx |
| dec eax |
| sub esp, 00000658h |
| movaps esp+00000630h, dqword ptr [xmm6] |
| movaps esp+00000640h, dqword ptr [xmm7] |
| dec eax |
| lea edi, dword ptr [esp+00000090h] |
| dec eax |
| lea edx, dword ptr [esp+00000158h] |
| dec eax |
| mov eax, edi |
| nop word ptr [eax+eax+00000000h] |
| dec eax |
| mov dword ptr [eax], 00000000h |
| dec eax |
| add eax, 08h |
| dec eax |
| cmp edx, eax |
| jne 00007FE2C8F7F7B2h |
| dec eax |
| mov eax, dword ptr [00003259h] |
| xor ecx, ecx |
| dec eax |
| lea esi, dword ptr [esp+00000270h] |
| mov dword ptr [esp+00000160h], 00000020h |
| dec eax |
| mov edx, esi |
| inc ecx |
| mov eax, 00000104h |
| dec eax |
| mov dword ptr [esp+00000158h], eax |
| call dword ptr [00006075h] |
| xor edx, edx |
| cmp byte ptr [esp+00000270h], 00000000h |
| je 00007FE2C8F7F7CDh |
| nop |
| dec eax |
| add edx, 01h |
| cmp byte ptr [esi+edx], 00000000h |
| jne 00007FE2C8F7F7B8h |
| dec eax |
| mov ecx, esi |
| call dword ptr [00006085h] |
| movzx edx, byte ptr [esp+00000270h] |
| test dl, dl |
| je 00007FE2C8F7FD0Ch |
| xor ebp, ebp |
| dec eax |
| mov eax, esi |
| nop dword ptr [eax+eax+00000000h] |
| cmp dl, 0000005Ch |
| dec eax |
| cmove ebp, eax |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7000 | 0x298 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8000 | 0x10cc8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x5000 | 0x48 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x70d8 | 0x88 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1340 | 0x1400 | 2451f6e1c4c86208c4269faab8deb290 | False | 0.623046875 | data | 6.081103037544234 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x3000 | 0x10 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x4000 | 0x4c0 | 0x600 | 8a9f0263c2b30544bcc92447d953ee60 | False | 0.6868489583333334 | data | 5.6294295482462005 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .pdata | 0x5000 | 0x48 | 0x200 | 6e586a795f4d7edab0473afeabeb824e | False | 0.130859375 | data | 0.619376959528734 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .xdata | 0x6000 | 0x7c | 0x200 | 4e63e5341f0901762c553edc6730ae46 | False | 0.197265625 | data | 1.7704887322851404 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .idata | 0x7000 | 0x298 | 0x400 | 9deaaf603c81764623999dfaececea95 | False | 0.3017578125 | data | 2.527998666694306 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x8000 | 0x10cc8 | 0x10e00 | a82b568dfc29ec1ef92ac026a5a2f796 | False | 0.08153935185185185 | data | 2.869919907826146 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x80e8 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m | English | United States | 0.07618596947829173 |
| RT_GROUP_ICON | 0x18910 | 0x14 | data | English | United States | 1.15 |
| RT_VERSION | 0x18928 | 0x39c | data | English | United States | 0.40476190476190477 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CreateFileA, ExitProcess, GetFileSize, GetModuleFileNameA, ReadFile, SetCurrentDirectoryA, VirtualAlloc, VirtualProtect |
| USER32.dll | CharUpperBuffA |
| WS2_32.dll | WSAStartup, getaddrinfo, select, socket |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 28, 2024 07:48:08.628968000 CEST | 53 | 53212 | 1.1.1.1 | 192.168.2.5 |
| Target ID: | 0 |
| Start time: | 01:48:02 |
| Start date: | 28/05/2024 |
| Path: | C:\Users\user\Desktop\NtpService.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff639c30000 |
| File size: | 79'360 bytes |
| MD5 hash: | 9200C356B485CA61EC88258F0800657A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 81.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 90.9% |
| Total number of Nodes: | 33 |
| Total number of Limit Nodes: | 6 |
Graph
Callgraph
Function 00007FF639C31000 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 346networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF639C31610 Relevance: .4, Instructions: 394COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF639C31FC0 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF639C31DD0 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF639C31C70 Relevance: .1, Instructions: 107COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|