Edit tour
Windows
Analysis Report
ntrights.exe
Overview
General Information
| Sample name: | ntrights.exe |
| Analysis ID: | 1453462 |
| MD5: | 416c43aeb17252ee33048bd1f277d2a5 |
| SHA1: | 085deb77551f9f6201e5aa352b62cad91c3005e5 |
| SHA256: | f46baa1b6227226518e42263e9b4808f81c27d060207df160f9ac64deae4f4f5 |
| Infos: | |
 | |
Detection
| Score: | 0 |
| Range: | 0 - 100 |
| Whitelisted: | true |
| Confidence: | 100% |
Signatures
Program does not show much activity (idle)
Uses 32bit PE files
Classification
- System is w10x64
ntrights.exe (PID: 6796 cmdline: "C:\Users\ user\Deskt op\ntright s.exe" MD5: 416C43AEB17252EE33048BD1F277D2A5) 
conhost.exe (PID: 6780 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 1% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
⊘No contacted IP infos
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1453462 |
| Start date and time: | 2024-06-07 02:55:54 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 45s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 2 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | ntrights.exe |
| Detection: | CLEAN |
| Classification: | clean1.winEXE@2/1@0/0 |
| Cookbook Comments: |
|
- Not all processes where analyz
ed, report is missing behavior information
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\ntrights.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 954 |
| Entropy (8bit): | 4.639667401056998 |
| Encrypted: | false |
| SSDEEP: | 12:JIg11Wsj81zJeoI2ksRVd0I5pNTCu+MG25cTal3Jr5vI:mYWsw8L2kUnvzGwXrxI |
| MD5: | 0738872157F49B15C26B726F14936810 |
| SHA1: | 43CD75E2D52CE895BEC1C16B45D766F9AF77CE14 |
| SHA-256: | 7C1C238C8456F9095B59F1B99800528A5BEA52712FF3B5EE4DF41717D410F2CB |
| SHA-512: | 634F1C9FE5149C01ADFC2633A7F902CA7AA8DF596C9A2B62E488B5F1241B724012C90618044805AC308B5A7E72F42F28B679FECBF5879C3198E1FEBFC1A251BA |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.155904506995028 |
| TrID: |
|
| File name: | ntrights.exe |
| File size: | 32'256 bytes |
| MD5: | 416c43aeb17252ee33048bd1f277d2a5 |
| SHA1: | 085deb77551f9f6201e5aa352b62cad91c3005e5 |
| SHA256: | f46baa1b6227226518e42263e9b4808f81c27d060207df160f9ac64deae4f4f5 |
| SHA512: | 3155de3fb04f1df246d6cecfa1c89f8ae9963c18be1ce717731ff210ab39d537be01231002a54d4346b4116e3505f387c92dfecc18a80ce7eb99c6d33e5f1f2a |
| SSDEEP: | 384:V2xoEQ1hlwZ1GADuwSoDFJqawj0zIjiOURFtk+bn7c/bAxi1I2Y8AVq65zHwP9TG:+l6pGXtk+D7c/N1I2Cq65z60sl |
| TLSH: | A5E27C11B0E5817FF0D356B456B707255B77B85003B26B8F0B9814ABAB726C0AB3B353 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z..c.S.c.S.c.S.c.S.c.S.kIS.c.S.k.S.c.S.ktS.c.S.kKS.c.S.kNS.c.SRich.c.S........PE..L......>.................r...,.......-..... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x1002d03 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x1000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x3EA0A0FB [Sat Apr 19 01:06:03 2003 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 2 |
| File Version Major: | 5 |
| File Version Minor: | 2 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 2 |
| Import Hash: | ee4f39f47003fa082601c87fd03e9ee8 |
| Instruction |
|---|
| push 00000018h |
| push 01001930h |
| call 00007F5CFD208CBEh |
| mov ebx, 00000094h |
| push ebx |
| push 00000000h |
| mov edi, dword ptr [010010D4h] |
| call edi |
| push eax |
| call dword ptr [010010D8h] |
| mov esi, eax |
| test esi, esi |
| je 00007F5CFD208B2Ah |
| mov dword ptr [esi], ebx |
| push esi |
| call dword ptr [0100102Ch] |
| push esi |
| test eax, eax |
| jne 00007F5CFD208B26h |
| push eax |
| call edi |
| push eax |
| call dword ptr [010010E4h] |
| mov eax, 000000FFh |
| jmp 00007F5CFD208C62h |
| mov eax, dword ptr [esi+10h] |
| mov dword ptr [0100999Ch], eax |
| mov eax, dword ptr [esi+04h] |
| mov dword ptr [010099A8h], eax |
| mov eax, dword ptr [esi+08h] |
| mov dword ptr [010099ACh], eax |
| mov eax, dword ptr [esi+0Ch] |
| and eax, 00007FFFh |
| mov dword ptr [010099A0h], eax |
| xor ebx, ebx |
| push ebx |
| call edi |
| push eax |
| call dword ptr [010010E4h] |
| cmp dword ptr [0100999Ch], 02h |
| je 00007F5CFD208B19h |
| or byte ptr [010099A1h], FFFFFF80h |
| mov eax, dword ptr [010099A8h] |
| shl eax, 08h |
| add eax, dword ptr [010099ACh] |
| mov dword ptr [010099A4h], eax |
| call 00007F5CFD208A15h |
| mov dword ptr [ebp-1Ch], eax |
| push ebx |
| call 00007F5CFD2098E9h |
| pop ecx |
| test eax, eax |
| jne 00007F5CFD208B33h |
| cmp dword ptr [0100998Ch], 02h |
| je 00007F5CFD208B17h |
| call 00007F5CFD20913Eh |
| push 0000001Ch |
| call 00007F5CFD208FD6h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7b1c | 0x64 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1150 | 0x1c | .text |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2330 | 0x40 | .text |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x118 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x7174 | 0x7200 | 1f013d575cbd3a91498ae06e967b964f | False | 0.5901178728070176 | DOS executable (COM, 0x8C-variant) | 6.4508000934987875 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x9000 | 0x2a80 | 0x800 | aedd1279a3b016d46b31eed4faaf3528 | False | 0.236328125 | data | 1.7030955196663338 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| ntdll.dll | RtlUnwind |
| KERNEL32.dll | GetCommandLineA, GetVersionExA, ExitProcess, GetProcAddress, GetModuleHandleA, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, InterlockedExchange, GetVersionExW, LoadLibraryA, Sleep, GetACP, GetSystemTimeAsFileTime, GetCPInfo, VirtualAlloc, SetFilePointer, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, FlushFileBuffers, SetStdHandle, GetLocaleInfoA, VirtualProtect, GetSystemInfo, CloseHandle, GetCurrentThreadId, GetTickCount, lstrlenW, MultiByteToWideChar, GetProcessHeap, HeapAlloc, HeapReAlloc, GetLastError, HeapFree, GetCurrentProcessId, VirtualQuery, GetOEMCP, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, QueryPerformanceCounter |
| USER32.dll | wsprintfW |
| ADVAPI32.dll | RegisterEventSourceW, ReportEventW, DeregisterEventSource, LsaNtStatusToWinError, LsaAddAccountRights, LsaRemoveAccountRights, LookupAccountNameW, LsaOpenPolicy, LsaClose |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 20:56:46 |
| Start date: | 06/06/2024 |
| Path: | C:\Users\user\Desktop\ntrights.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1000000 |
| File size: | 32'256 bytes |
| MD5 hash: | 416C43AEB17252EE33048BD1F277D2A5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 20:56:46 |
| Start date: | 06/06/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
⊘No disassembly
