Edit tour

Windows Analysis Report
testvec.exe

Overview

General Information

Sample name:	testvec.exe
Analysis ID:	1448272
MD5:	7e0c85852b2cd932626fcf284ca72978
SHA1:	c8ccf6e20cde537f3da64aebd1f80b144a4c8e0a
SHA256:	9a977571296ae1548c32df94be75eec2a414798bee7064b0bf44859e886a0cfa
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected potential crypto function

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

testvec.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\testvec.exe" MD5: 7E0C85852B2CD932626FCF284CA72978)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: testvec.exe

Virustotal: Detection: 6%

Perma Link

Source: testvec.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: testvec.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: testvec.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: testvec.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: testvec.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: testvec.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: testvec.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: testvec.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: testvec.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: testvec.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_00401000	0_2_00401000
Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_004024A0	0_2_004024A0
Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_00402A10	0_2_00402A10
Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_00402630	0_2_00402630

Source: testvec.exe

Static PE information: invalid certificate

Source: testvec.exe, 00000000.00000000.1323388326.0000000000407000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTEST.EXED vs testvec.exe
Source: testvec.exe, 00000000.00000002.1323821040.0000000000408000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTEST.EXED vs testvec.exe
Source: testvec.exe	Binary or memory string: OriginalFilenameTEST.EXED vs testvec.exe

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\testvec.exe

File created: C:\Users\user\AppData\Local\Temp\loader.log

Jump to behavior

Source: testvec.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\testvec.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: testvec.exe

Virustotal: Detection: 6%

Source: C:\Users\user\Desktop\testvec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\testvec.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\testvec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\testvec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\testvec.exe	Section loaded: profapi.dll	Jump to behavior

Source: testvec.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: testvec.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_00407144 push rdi; retf	0_2_0040714F
Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_00407124 push rsi; retf	0_2_00407137
Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_00407164 push rbp; retf	0_2_00407177
Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_0040714C push rsi; retf	0_2_00407157
Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_0040712C push rsi; retf	0_2_00407137
Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_00407174 push rbp; retf	0_2_00407177
Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_0040713C push rbp; retf	0_2_0040713F
Source: C:\Users\user\Desktop\testvec.exe	Code function: 0_2_0040711C push rsi; retf	0_2_00407127

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: testvec.exe, 00000000.00000002.1323850520.00000000006F4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\testvec.exe	API call chain: ExitProcess graph end node	graph_0-284
Source: C:\Users\user\Desktop\testvec.exe	API call chain: ExitProcess graph end node	graph_0-294
Source: C:\Users\user\Desktop\testvec.exe	API call chain: ExitProcess graph end node	graph_0-287

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\testvec.exe

Code function: 0_2_00402880 CreateFileA,GetLocalTime,GetDateFormatA,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,GetTimeFormatA,WriteFile,FlushFileBuffers,

0_2_00402880

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
testvec.exe	8%	ReversingLabs
testvec.exe	7%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448272
Start date and time:	2024-05-28 07:48:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	testvec.exe
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	4.08024962025428
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	testvec.exe
File size:	89'392 bytes
MD5:	7e0c85852b2cd932626fcf284ca72978
SHA1:	c8ccf6e20cde537f3da64aebd1f80b144a4c8e0a
SHA256:	9a977571296ae1548c32df94be75eec2a414798bee7064b0bf44859e886a0cfa
SHA512:	04e38c62d83f963e7ba6859269f060fa8b530072cb9d816a0d5320db3f1f4a61db6f820e7ae33c212a0ff7c70aac0f4f670e26f81c1973ca8e168326e311e057
SSDEEP:	768:h8JqGaVJ2wSS9KnDUyLDU8uoB/qW1cGerHyKvu1YbTgocJOsr4+9iocUf2hb:9kS9KBL1cvrHyKvu1Gsr4siDUf
TLSH:	ED936F93A680A03FC9CFF6365912B9A317A53C0CD954371EE791B2F4DE31E403A90267
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......]........../...... ....................@....................................." ....`... ............................

File Icon


Icon Hash:	4cf4eb164f4c311f

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5DE0FDFE [Fri Nov 29 11:16:14 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cd7d90d884561e880b8d39a2eaa4c342

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=TrustLand Ltd. Root CA, OU=TrustLand Ltd. Root CA, O=TrustLand Ltd., L=Europe, C=UK, DC=trustland, DC=com
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	29/11/2019 12:35:54 28/11/2022 12:35:54
Subject Chain	CN=TrustLand Ltd. Code Signing Authority, OU=TrustLand Ltd. Code Signing Authority, O=TrustLand Ltd.
Version:	3
Thumbprint MD5:	73D9BCC701F7B3064441374B78DA44F7
Thumbprint SHA-1:	8A6F25D4B6D35D8B31080BF273585C84BC698DCE
Thumbprint SHA-256:	6FFDC787567050D60E3FC86F33B8934E730FF32698526E9F27DE98E43EBD8D5E
Serial:	73B17D4E80A3FDF5AA6AF2480C46418F4CE747F4

Entrypoint Preview

Instruction
inc ecx
push edi
inc ecx
push esi
inc ecx
push ebp
inc ecx
push esp
push ebp
push edi
push esi
push ebx
dec eax
sub esp, 000006B8h
inc ebp
xor ecx, ecx
inc ebp
xor eax, eax
xor ecx, ecx
mov edx, 00000028h
dec eax
lea esi, dword ptr [esp+00000510h]
dec eax
mov dword ptr [esp+20h], esi
call dword ptr [00006159h]
test eax, eax
js 00007F08D903B588h
mov ecx, 00000001h
xor eax, eax
dec eax
mov edx, esi
dec eax
sub ecx, esi
cmp byte ptr [esp+00000510h], 00000000h
je 00007F08D903B1CDh
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
dec eax
lea eax, dword ptr [edx+ecx]
dec eax
add edx, 01h
cmp byte ptr [edx], 00000000h
jne 00007F08D903B1A5h
mov eax, eax
mov ecx, 00000041h
dec eax
lea edx, dword ptr [00002F8Dh]
inc ecx
mov eax, 0000005Ch
dec eax
add eax, esi
jmp 00007F08D903B1C3h
nop word ptr [eax+eax+00000000h]
inc ecx
mov eax, ecx
movzx ecx, byte ptr [edx+01h]
dec eax
add eax, 01h
dec eax
add edx, 01h
inc esp
mov byte ptr [eax-01h], al
test cl, cl
jne 00007F08D903B19Bh
dec eax
mov dword ptr [esp+30h], 00000000h
inc ebp
xor ecx, ecx
inc ecx
mov eax, 00000005h
dec eax
mov ecx, esi
mov dword ptr [esp+28h], 20000102h
mov edx, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7000	0x360	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x10bf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5000	0x48	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x13e00	0x1f30	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7114	0xb0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f60	0x2000	1a2109352808517e8b18462d8629dfba	False	0.54833984375	data	5.70720079667084	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4000	0x2e0	0x400	ea334197dbeb12e5933b240fd07d010c	False	0.740234375	data	6.237217583105469	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x5000	0x48	0x200	d437eadcec7949db39492b86db2952ac	False	0.13671875	data	0.6094161052416324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x6000	0x74	0x200	05424220bf68dbc01beaf59a20f5ca4a	False	0.21484375	data	1.6219178152915887	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x7000	0x360	0x400	96cadc0bb624679e53291c6e705417c7	False	0.369140625	data	3.165294663901878	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8000	0x10bf8	0x10c00	bfd0e301d1bde78ee9e730fd7fb11fee	False	0.08169601212686567	data	2.864648863579679	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x80e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m	English	United States	0.07618596947829173
RT_GROUP_ICON	0x18910	0x14	data	English	United States	1.15
RT_VERSION	0x18928	0x2d0	data	English	United States	0.4722222222222222

Imports

DLL	Import
KERNEL32.dll	CreateFileA, ExitProcess, FlushFileBuffers, GetDateFormatA, GetFileSize, GetLocalTime, GetModuleFileNameA, GetTimeFormatA, ReadFile, SetStdHandle, Sleep, VirtualAlloc, VirtualProtect, WriteFile
SHFOLDER.dll	SHGetFolderPathA
USER32.dll	CharUpperBuffA
WS2_32.dll	WSAStartup, getaddrinfo

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	01:48:54
Start date:	28/05/2024
Path:	C:\Users\user\Desktop\testvec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\testvec.exe"
Imagebase:	0x400000
File size:	89'392 bytes
MD5 hash:	7E0C85852B2CD932626FCF284CA72978
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	96.7%
Total number of Nodes:	60
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401000 Relevance: 57.0, APIs: 19, Strings: 13, Instructions: 1044filenetworkCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHFOLDER ref: 0040102D
CreateFileA.KERNELBASE ref: 004010D8
WSAStartup.WS2_32 ref: 00401154
GetModuleFileNameA.KERNEL32 ref: 0040117D
CharUpperBuffA.USER32 ref: 004011B8
ExitProcess.KERNEL32 ref: 00401412
ExitProcess.KERNEL32 ref: 0040141D

Strings

Input file: , xrefs: 004012D8
, xrefs: 0040113D
: Try: , xrefs: 00401555
\AppData\\Local\\Temp\\loader.log, xrefs: 00401074
.BIN, xrefs: 004012CD
azure.microsoft.com, xrefs: 0040143E
Retry, xrefs: 00401B88
: Launch... , xrefs: 004023F6
: LAUNCH, xrefs: 004010F8
Basename: , xrefs: 00401300
Failed: , xrefs: 00401B74
http, xrefs: 0040158C
Decrypting , xrefs: 004022AA

Memory Dump Source

Source File: 00000000.00000002.1323776146.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1323764687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323810145.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323821040.0000000000408000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_testvec.jbxd

Similarity

API ID: ExitFileProcess$BuffCharCreateFolderModuleNamePathStartupUpper
String ID: $ Retry$.BIN$: LAUNCH$: Launch... $: Try: $Basename: $Decrypting $Failed: $Input file: $\AppData\\Local\\Temp\\loader.log$azure.microsoft.com$http
API String ID: 102095214-2876707994
Opcode ID: 41087516d0a7382021d80091c5f23595a174f3f87c4c0fd34dc92d1fe67bf54a
Instruction ID: 95658e137f340f4a494c528737d3ef8c2698eceb53be4511814140567903336b
Opcode Fuzzy Hash: 41087516d0a7382021d80091c5f23595a174f3f87c4c0fd34dc92d1fe67bf54a
Instruction Fuzzy Hash: 0FA2DE72719BD086DB308B25E4447AABBA0F789B84F44812ADFCD67B99DB3DC145CB04

Function 00402880 Relevance: 13.6, APIs: 9, Instructions: 88
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32 ref: 004028B1
GetDateFormatA.KERNEL32 ref: 004028DE
WriteFile.KERNELBASE ref: 0040292F
FlushFileBuffers.KERNEL32 ref: 0040293F
WriteFile.KERNELBASE ref: 00402961
FlushFileBuffers.KERNEL32 ref: 0040296A
GetTimeFormatA.KERNEL32 ref: 00402989
WriteFile.KERNELBASE ref: 004029D3
FlushFileBuffers.KERNEL32 ref: 004029DC

Memory Dump Source

Source File: 00000000.00000002.1323776146.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1323764687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323810145.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323821040.0000000000408000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_testvec.jbxd

Similarity

API ID: File$BuffersFlushWrite$FormatTime$DateLocal
String ID:
API String ID: 349335677-0
Opcode ID: e52f5cf739d24a76ee28413ae1b9debb60832dc5f2c890d1e61afade3f67b619
Instruction ID: 71c8b01572e34755489ba76d4023017d1ad8c2c004aaeb0349453908e2991f0c
Opcode Fuzzy Hash: e52f5cf739d24a76ee28413ae1b9debb60832dc5f2c890d1e61afade3f67b619
Instruction Fuzzy Hash: E33181B2614A8485E7208F51F91479ABB60F389789F484132DF8D277D8CFBDC549C748

Function 00402800 Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 00402848
FlushFileBuffers.KERNEL32 ref: 00402855

Memory Dump Source

Source File: 00000000.00000002.1323776146.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1323764687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323810145.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323821040.0000000000408000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_testvec.jbxd

Similarity

API ID: File$BuffersFlushWrite
String ID:
API String ID: 1012034594-0
Opcode ID: a97c07eda4a0a53a70f4e141aca702407c86102d821ce71e9a9899db51a7829b
Instruction ID: a597425ef4634b2b882578b8714d0733edaf96c88882fa2e568bbfde784e65fe
Opcode Fuzzy Hash: a97c07eda4a0a53a70f4e141aca702407c86102d821ce71e9a9899db51a7829b
Instruction Fuzzy Hash: 06F082AA51AA4084EB11EB51D50C7656720A346785FC4C223CB4E227D08BBCC545C749

Non-executed Functions

Function 00402A10 Relevance: .2, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1323776146.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1323764687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323810145.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323821040.0000000000408000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_testvec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec13ac4e99fbb62a0ce8a52716004b121548a743d60f6041e31b6fed0c80df13
Instruction ID: 32dee86cc3c6679ca2ae3ede7a95360dd6cf43dec582ea4ea53ff3567f8040fb
Opcode Fuzzy Hash: ec13ac4e99fbb62a0ce8a52716004b121548a743d60f6041e31b6fed0c80df13
Instruction Fuzzy Hash: C8B1397260ABC485DBA1CB05F9447DAB3A4F788784F50822ADACD57B88EF7DC195CB40

Function 00402630 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1323776146.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1323764687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323810145.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323821040.0000000000408000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_testvec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee30d71fabf80c46d13d5c6313867e08a1b0bf766293a02cf630f90dcdd7dff0
Instruction ID: c94b62c77fb9e09193b4c7fdfaa43efc77afbaacc5cf42c774524456296f9277
Opcode Fuzzy Hash: ee30d71fabf80c46d13d5c6313867e08a1b0bf766293a02cf630f90dcdd7dff0
Instruction Fuzzy Hash: 4B418A0372C7E414E7238E712610F6BBE60B7AA744F8BB091EF82A2B91D579CC25D650

Function 004024A0 Relevance: .1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1323776146.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1323764687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323788325.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323810145.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323821040.0000000000408000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_testvec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a772e3fdd01b62430eaf906795f9e9889f0cf0c30ccbdf12ce755e7dd1a436
Instruction ID: 6851c6e90eb0b784e851e34f065c2ab92b56c3cb298fc26e4bc8e7469b2f4c10
Opcode Fuzzy Hash: 91a772e3fdd01b62430eaf906795f9e9889f0cf0c30ccbdf12ce755e7dd1a436
Instruction Fuzzy Hash: CB31771372C7E459E7234E312920F5BBE90B39A744FCBA091EFC652B92D629CC25D750

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report testvec.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: testvec.exePID: 7752, Parent PID: 4084

General

Chronological Activities

Disassembly

Analysis Process: testvec.exePID: 7752, Parent PID: 4084COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 00401000 Relevance: 57.0, APIs: 19, Strings: 13, Instructions: 1044filenetworkCOMMON

Function 00402880 Relevance: 13.6, APIs: 9, Instructions: 88filetimeCOMMON

Control-flow Graph

Windows Analysis Report
testvec.exe

Function 00402880 Relevance: 13.6, APIs: 9, Instructions: 88
filetimeCOMMON

Function 00402800 Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Function 00402A10 Relevance: .2, Instructions: 244
COMMON

Function 00402630 Relevance: .1, Instructions: 133
COMMON

Function 004024A0 Relevance: .1, Instructions: 112
COMMON