Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Iwh4ctvGK6.exe

Overview

General Information

Sample name:Iwh4ctvGK6.exe
renamed because original name is a hash value
Original sample name:f3ded516a336e61eaa82823f3e64ab09.exe
Analysis ID:1466594
MD5:f3ded516a336e61eaa82823f3e64ab09
SHA1:4ca3c0fd5672ef87f535498501481c3fc5a55628
SHA256:da10a008749ab50acbc4fc72d575db059e80aa2ad2d365b6b1239c856374a3b4
Tags:exe
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file contains an invalid checksum
PE file overlay found
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Iwh4ctvGK6.exeVirustotal: Detection: 28%Perma Link
Machine Learning detection for sample
Source: Iwh4ctvGK6.exeJoe Sandbox ML: detected
Source: Iwh4ctvGK6.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Iwh4ctvGK6.exeStatic PE information: Data appended to the last section found
Source: Iwh4ctvGK6.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Iwh4ctvGK6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal52.winEXE@0/0@0/0
Source: Iwh4ctvGK6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Iwh4ctvGK6.exeVirustotal: Detection: 28%
Source: Iwh4ctvGK6.exeStatic PE information: real checksum: 0x350eb should be: 0x1fe5d
Source: Iwh4ctvGK6.exeStatic PE information: section name: .text entropy: 7.5101484713293685

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception2
Software Packing		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Iwh4ctvGK6.exe29%VirustotalBrowse
Iwh4ctvGK6.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1466594
Start date and time:2024-07-03 07:46:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Iwh4ctvGK6.exe
renamed because original name is a hash value
Original Sample Name:f3ded516a336e61eaa82823f3e64ab09.exe
Detection:MAL
Classification:mal52.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.040005151472149
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Iwh4ctvGK6.exe
File size:125'135 bytes
MD5:f3ded516a336e61eaa82823f3e64ab09
SHA1:4ca3c0fd5672ef87f535498501481c3fc5a55628
SHA256:da10a008749ab50acbc4fc72d575db059e80aa2ad2d365b6b1239c856374a3b4
SHA512:0079a7091cbb0c2ac10d977437c60856ffe7e3f07239fbf44d914de48f4d5133e2ba98085cd959e3f2250982a4c98b36b7b53ef91ec0104a6737e16f7bb851b9
SSDEEP:3072:kf59LNHMsreVriGs8ZItaIiIwNFhPQ5c:Y59LNHDiVOu9Igl
TLSH:E2C3E0D07950C072C54A55304455CAB06B3EBC70DBA6CACF3B7A23AE5F721E25B3A35A
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.................d.......u.......c.x...?"..........u.....j.......t.......q.....Rich............PE..L...1#3d.................j.

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x401908
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x64332331 [Sun Apr 9 20:42:25 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:1f26c0d9ea65ace741c1ad9345fbbca3

Entrypoint Preview

Instruction
call 00007F09C52CA505h
jmp 00007F09C52C67CEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041C918h], eax
mov dword ptr [0041C914h], ecx
mov dword ptr [0041C910h], edx
mov dword ptr [0041C90Ch], ebx
mov dword ptr [0041C908h], esi
mov dword ptr [0041C904h], edi
mov word ptr [0041C930h], ss
mov word ptr [0041C924h], cs
mov word ptr [0041C900h], ds
mov word ptr [0041C8FCh], es
mov word ptr [0041C8F8h], fs
mov word ptr [0041C8F4h], gs
pushfd
pop dword ptr [0041C928h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041C91Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041C920h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041C92Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041C868h], 00010001h
mov eax, dword ptr [0041C920h]
mov dword ptr [0041C81Ch], eax
mov dword ptr [0041C810h], C0000409h
mov dword ptr [0041C814h], 00000001h
mov eax, dword ptr [0041B004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041B008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A4h]

Rich Headers

Programming Language:
  • [C++] VS2008 build 21022
  • [ASM] VS2008 build 21022
  • [ C ] VS2008 build 21022
  • [IMP] VS2005 build 50727
  • [RES] VS2008 build 21022
  • [LNK] VS2008 build 21022

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x197ec0x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x23080000xdbe8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x180000x17c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x169db0x16a000feabcb326098264cc3cf9288aaff495False0.8049248964088398data7.5101484713293685IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x180000x20600x22002471ecf55d839f1dc649ef6231121337False0.35098805147058826data5.387579547232506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x1b0000x22ec5480x1e0024efae86dbce854ae2814cac0ac7995cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x23080000xdbe80xdc004c88df4908e7cad24ed4034b75451645False0.620259050149452data5.993479342927657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
NUSUTUMA0x230eed80x3faemptyTurkishTurkey0
RT_CURSOR0x230f2d80x130empty0
RT_ICON0x23086a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.6103411513859275
RT_ICON0x23095480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6890794223826715
RT_ICON0x2309df00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.755184331797235
RT_ICON0x230a4b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7940751445086706
RT_ICON0x230aa200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.6139077499414657
RT_ICON0x230cfc80x10a8emptyTurkishTurkey0
RT_ICON0x230e0700x988emptyTurkishTurkey0
RT_ICON0x230e9f80x468emptyTurkishTurkey0
RT_STRING0x230f5d00xaaempty0
RT_STRING0x230f6800x6eempty0
RT_STRING0x230f6f00x6b2empty0
RT_STRING0x230fda80x688empty0
RT_STRING0x23104300x6a4empty0
RT_STRING0x2310ad80x202empty0
RT_STRING0x2310ce00x6a4empty0
RT_STRING0x23113880x6d8empty0
RT_STRING0x2311a600x7e0empty0
RT_STRING0x23122400x71aempty0
RT_STRING0x23129600x698empty0
RT_STRING0x2312ff80x798empty0
RT_STRING0x23137900x6dcempty0
RT_STRING0x2313e700x82cempty0
RT_STRING0x23146a00x672empty0
RT_STRING0x2314d180x752empty0
RT_STRING0x23154700x720empty0
RT_STRING0x2315b900x52empty0
RT_GROUP_CURSOR0x230f4080x14empty0
RT_GROUP_ICON0x230ee600x76emptyTurkishTurkey0
RT_VERSION0x230f4200x1b0empty0

Imports

DLLImport
KERNEL32.dllZombifyActCtx, CreateJobObjectW, GetModuleHandleExW, SetVolumeMountPointW, SleepEx, GetCommProperties, GetModuleHandleW, GetTickCount, ReadConsoleOutputA, GlobalAlloc, GetConsoleAliasExesLengthW, lstrcpynW, WriteConsoleW, GetModuleFileNameW, OpenJobObjectA, GetLastError, GetProcAddress, BuildCommDCBW, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, SetFileApisToANSI, AddAtomA, FoldStringA, lstrcatW, EnumDateFormatsW, FindFirstVolumeA, GetConsoleAliasesW, GetComputerNameA, CreateFileA, GetConsoleOutputCP, MultiByteToWideChar, HeapReAlloc, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, HeapSize, ExitProcess, HeapCreate, VirtualFree, HeapFree, VirtualAlloc, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, ReadFile, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA
GDI32.dllGetBoundsRect
ole32.dllCoTaskMemRealloc

Possible Origin

Language of compilation systemCountry where language is spokenMap
TurkishTurkey

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly