Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pwdump.exe

Overview

General Information

Sample name:pwdump.exe
Analysis ID:1465755
MD5:a0b60ca561897bed096a2d2171fc43e9
SHA1:863db3a58c14ac26dacb1928a72a8f30eade65a4
SHA256:799b82830977f1e159bde8818bef466ad05fb438194d834537af461f11a53834
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Potential time zone aware malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w7x64
  • pwdump.exe (PID: 3056 cmdline: "C:\Users\user\Desktop\pwdump.exe" MD5: A0B60CA561897BED096A2D2171FC43E9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
pwdump.exePwDump_BDetects a tool used by APT groups - file PwDump.exeFlorian Roth
  • 0x298d9:$x2: pwdump6 Version %s by fizzgig and the mighty group at foofus.net
  • 0x292b8:$x4: Couldn't delete target executable from remote machine: %d

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: pwdump.exeReversingLabs: Detection: 47%
Source: pwdump.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: pwdump.exe, type: SAMPLEMatched rule: Detects a tool used by APT groups - file PwDump.exe Author: Florian Roth
Source: C:\Users\user\Desktop\pwdump.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: pwdump.exe, 00000000.00000000.338310864.0000000000431000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePWD.exe vs pwdump.exe
Source: pwdump.exeBinary or memory string: OriginalFilenamePWD.exe vs pwdump.exe
Source: pwdump.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: pwdump.exe, type: SAMPLEMatched rule: PwDump_B date = 2016-09-08, hash1 = 3c796092f42a948018c3954f837b4047899105845019fce75a6e82bc99317982, author = Florian Roth, description = Detects a tool used by APT groups - file PwDump.exe, reference = http://goo.gl/igxLyF, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engineClassification label: mal56.winEXE@1/0@0/0
Source: pwdump.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pwdump.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: pwdump.exeReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\pwdump.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\Desktop\pwdump.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\Desktop\pwdump.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\pwdump.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\pwdump.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\pwdump.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\pwdump.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\pwdump.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Users\user\Desktop\pwdump.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
pwdump.exe48%ReversingLabsWin32.Hacktool.PwDump

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1465755
Start date and time:2024-07-02 01:09:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:pwdump.exe
Detection:MAL
Classification:mal56.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: pwdump.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.024455346706864
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:pwdump.exe
File size:192'512 bytes
MD5:a0b60ca561897bed096a2d2171fc43e9
SHA1:863db3a58c14ac26dacb1928a72a8f30eade65a4
SHA256:799b82830977f1e159bde8818bef466ad05fb438194d834537af461f11a53834
SHA512:6c005299753c264d420287e9e36ede1b3be10451ddb7ffbf104d50424f121153811214bee0b3ec3b2474918484f49c0d709e04db81af05b6e99f70cf48627e9e
SSDEEP:3072:8vbWx06qih5yUUtx8BuDFhkee7l2aaQFyu8dshvWzuc4czoEbHiF:8vbr6DhEUUx8BuphLe7l2aa+mstWzuSi
TLSH:66147C2635E2C4BBD54200304EF49FB9B7FDE5654F2798C38B985B5C8B31CB2862B199
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............q...q...q...m...q...n...q../m...q...n..+q...q...q...n...q...R...q..Dn...q..kw...q..Rich.q..................PE..L....gyF...

File Icon

Icon Hash:aaf3e3e3918382a0

Static PE Info

General

Entrypoint:0x406ddc
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x4679670E [Wed Jun 20 17:42:38 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:632969ddf6dbf4e0f53424b75e4b91f2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00423320h
push 0040810Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004220E4h]
xor edx, edx
mov dl, ah
mov dword ptr [0042F034h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0042F030h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0042F02Ch], ecx
shr eax, 10h
mov dword ptr [0042F028h], eax
push 00000001h
call 00007FAEE8B1BC94h
pop ecx
test eax, eax
jne 00007FAEE8B1A77Ah
push 0000001Ch
call 00007FAEE8B1A820h
pop ecx
call 00007FAEE8B1B638h
test eax, eax
jne 00007FAEE8B1A77Ah
push 00000010h
call 00007FAEE8B1A80Fh
pop ecx
and dword ptr [ebp-04h], 00000000h
call 00007FAEE8B1B0EAh
call dword ptr [00422074h]
mov dword ptr [0042F8E4h], eax
call 00007FAEE8B1F897h
mov dword ptr [0042F010h], eax
call 00007FAEE8B1F640h
call 00007FAEE8B1F582h
call 00007FAEE8B1B440h
mov eax, dword ptr [0042F044h]
mov dword ptr [0042F048h], eax
push eax
push dword ptr [0042F03Ch]
push dword ptr [0042F038h]
call 00007FAEE8B14BD4h
add esp, 0Ch

Rich Headers

Programming Language:
  • [ C ] VS98 (6.0) build 8168
  • [EXP] VC++ 6.0 SP5 build 8804

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x278700x8c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x310000x430.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x220000x1c8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x201860x21000df9d76fe3bdc873bad1ab056de319a30False0.5322339607007576data6.544917334410032IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x220000x62ae0x70009bfce1099ab9c5a7cc10545cf26612b3False0.39990234375data4.788083505486089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x290000x79050x500005037c710c9179141b0c3cedac78e173False0.241796875data3.3347933298347288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x310000x4300x10009d1c066763515512b605195e659ee202False0.12451171875data1.1063011561120997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x310600x3ccdataEnglishUnited States0.4722222222222222

Imports

DLLImport
MPR.dllWNetAddConnection2A, WNetCancelConnection2A
KERNEL32.dllQueryPerformanceCounter, GetCurrentDirectoryA, GetLastError, CopyFileA, GetModuleFileNameA, CloseHandle, GlobalReAlloc, Sleep, ReadFile, SetNamedPipeHandleState, CreateFileA, WaitNamedPipeA, CompareStringA, GetLocaleInfoW, DeleteFileA, WaitForSingleObject, MultiByteToWideChar, GlobalFree, CompareStringW, SetEnvironmentVariableA, GlobalAlloc, GetCommandLineA, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, SetEndOfFile, LoadLibraryA, EnterCriticalSection, LeaveCriticalSection, CreateThread, GetCurrentThreadId, TlsSetValue, ExitThread, HeapFree, HeapAlloc, WriteConsoleA, ReadConsoleInputA, SetConsoleMode, GetConsoleMode, GetTimeZoneInformation, GetSystemTime, GetLocalTime, RtlUnwind, RaiseException, InterlockedDecrement, InterlockedIncrement, WideCharToMultiByte, InterlockedExchange, GetVersion, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, InitializeCriticalSection, TlsAlloc, SetLastError, TlsGetValue, UnhandledExceptionFilter, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, WriteFile, SetFilePointer, FlushFileBuffers, HeapSize, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetStdHandle, IsBadReadPtr, IsBadCodePtr, GetCPInfo, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, GetACP, GetOEMCP, GetProcAddress
USER32.dllwsprintfA
ADVAPI32.dllCreateServiceA, OpenServiceA, StartServiceA, QueryServiceStatus, DeleteService, CloseServiceHandle, OpenSCManagerA
ole32.dllStringFromGUID2, CoCreateGuid
NETAPI32.dllNetApiBufferFree, NetShareEnum, NetShareGetInfo

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:19:09:54
Start date:01/07/2024
Path:C:\Users\user\Desktop\pwdump.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\pwdump.exe"
Imagebase:0x400000
File size:192'512 bytes
MD5 hash:A0B60CA561897BED096A2D2171FC43E9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

No disassembly