Edit tour
Windows
Analysis Report
SpoonVirtualLayer.exe
Overview
General Information
| Sample name: | SpoonVirtualLayer.exe |
| Analysis ID: | 1452998 |
| MD5: | b026fad851a704cdfe30289b306e13f2 |
| SHA1: | c95b802bfbf41e94027154e9c5eda112120f6143 |
| SHA256: | 68854fbeb76d9d313ffa43f00029d14f2d8f9b6be245fa8b582b00ef37a04826 |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Classification
- System is w10x64
SpoonVirtualLayer.exe (PID: 7516 cmdline: "C:\Users\ user\Deskt op\SpoonVi rtualLayer .exe" MD5: B026FAD851A704CDFE30289B306E13F2)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 32% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1452998 |
| Start date and time: | 2024-06-06 14:26:51 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 47s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SpoonVirtualLayer.exe |
| Detection: | MAL |
| Classification: | mal52.winEXE@1/0@0/0 |
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, W MIADAP.exe, SIHClient.exe, con host.exe - Excluded domains from analysis
(whitelisted): ocsp.digicert. com, slscr.update.microsoft.co m, ctldl.windowsupdate.com, fe 3cr.delivery.mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: SpoonV
irtualLayer.exe
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.50402601571092 |
| TrID: |
|
| File name: | SpoonVirtualLayer.exe |
| File size: | 3'373'904 bytes |
| MD5: | b026fad851a704cdfe30289b306e13f2 |
| SHA1: | c95b802bfbf41e94027154e9c5eda112120f6143 |
| SHA256: | 68854fbeb76d9d313ffa43f00029d14f2d8f9b6be245fa8b582b00ef37a04826 |
| SHA512: | 78b86412560a8e98a64936ef9bd3c7101464be998f915eb1a97f461aed1df8376e598fb0ca8b205e347c0549e8400c4d32acc228cb4adef5fcbb20edcea25746 |
| SSDEEP: | 49152:g8mvcDgxEWMSL9j5evyPIDkQvqn4FLdHkA2u0v/37cLtUyk1/61JtxFIjBE:IvcDgxEwL9VyzkKq4FLdEr7cRgE1JF |
| TLSH: | 0CF5F02173A48079D0BB82768977865AE3F679604B31C7CF53D4526E1F33AD19B38B22 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..a.................P...0.......(.......`............................................................................. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x12884 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x61F01742 [Tue Jan 25 15:29:06 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 6080bfe3235cf25f8aae61b780e07a41 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| and esp, FFFFFFF8h |
| sub esp, 00000884h |
| xor ecx, ecx |
| push ebx |
| push esi |
| mov ebx, ecx |
| push edi |
| mov dword ptr [esp+14h], ebx |
| mov dword ptr [esp+3Ch], ecx |
| mov dword ptr [esp+2Ch], ecx |
| mov dword ptr [esp+28h], ecx |
| mov dword ptr [esp+30h], ecx |
| mov dword ptr [esp+48h], ecx |
| mov dword ptr [esp+1Ch], ecx |
| mov dword ptr [esp+38h], ecx |
| call 00007F6DBCE443CBh |
| mov eax, dword ptr fs:[00000018h] |
| mov eax, dword ptr [eax+30h] |
| push dword ptr [eax+000000A0h] |
| call dword ptr [0001602Ch] |
| mov esi, dword ptr [01017014h] |
| call esi |
| and eax, 11h |
| mov dword ptr [esp+4Ch], 00000003h |
| cmp eax, 00000111h |
| je 00007F6DBCE44986h |
| call esi |
| mov esi, dword ptr [esp+1Ch] |
| mov dword ptr [00016040h], eax |
| mov eax, dword ptr [esp+1Ch] |
| mov dword ptr [esp+0Ch], eax |
| mov eax, dword ptr [esp+1Ch] |
| mov dword ptr [esp+18h], esi |
| mov dword ptr [esp+20h], eax |
| jmp 00007F6DBCE44A3Eh |
| mov eax, dword ptr [esp+1Ch] |
| mov esi, dword ptr [esp+1Ch] |
| mov ecx, dword ptr [esp+1Ch] |
| mov dword ptr [esp+0Ch], eax |
| mov dword ptr [esp+18h], esi |
| mov dword ptr [esp+20h], ecx |
| push 00000004h |
| push 00001000h |
| push eax |
| push 00000000h |
| call dword ptr [01017058h] |
| mov edi, eax |
| call 00007F6DBCE4554Ch |
| mov ecx, eax |
| sub ecx, dword ptr [00016040h] |
| xor edx, edx |
| mov eax, ecx |
| div dword ptr [eax+eax+00h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1007070 | 0x28 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1009000 | 0x4f7 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1008000 | 0x248 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1007000 | 0x70 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x455c | 0x4600 | 7783fde87046970aa9ad5ea2ed636b5c | False | 0.5699776785714286 | data | 6.357044416713001 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x6000 | 0x460 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .xcpad | 0x7000 | 0x1000000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | |
| .idata | 0x1007000 | 0x34c | 0x400 | 188d4c7935fabaeff542b831662e8543 | False | 0.40625 | data | 4.118420174487891 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x1008000 | 0x248 | 0x400 | 5e5f31871efa80da544365cbf2e60770 | False | 0.5546875 | data | 4.402487926985488 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x1009000 | 0x4f7 | 0x600 | 17e40d0c16a993357b6ee4864cf4cce8 | False | 0.3587239583333333 | data | 3.6037414765952334 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x10090a0 | 0x2b4 | data | 0.4393063583815029 | ||
| RT_MANIFEST | 0x1009354 | 0x1a3 | ASCII text | English | United States | 0.477326968973747 |
| DLL | Import |
|---|---|
| KERNEL32.dll | HeapAlloc, GetProcessHeap, HeapFree, GetProcAddress, GetModuleHandleW, GetTickCount, GetModuleFileNameW, SetEnvironmentVariableW, IsWow64Process, OpenProcess, GetLastError, DuplicateHandle, GetCommandLineW, OpenFileMappingW, MapViewOfFile, SetEvent, UnmapViewOfFile, CloseHandle, GetCommandLineA, CreateFileW, CreateFileMappingW, GetFileSizeEx, VirtualAlloc, VirtualFree, LoadLibraryW, ExitProcess, GetModuleHandleA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 08:27:42 |
| Start date: | 06/06/2024 |
| Path: | C:\Users\user\Desktop\SpoonVirtualLayer.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x10000 |
| File size: | 3'373'904 bytes |
| MD5 hash: | B026FAD851A704CDFE30289B306E13F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
⊘No disassembly
