Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9Aa8t2BpXw.exe

Overview

General Information

Sample name:9Aa8t2BpXw.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:e311311e87b139aba78af0501e1efccfc1b2a892e8527a8f424bfca2504041ae
Analysis ID:1466765
MD5:7dace8a768bac984b85cef1ed5876d10
SHA1:39decd456c18d95d36d23f644ae9eaccef10b125
SHA256:e311311e87b139aba78af0501e1efccfc1b2a892e8527a8f424bfca2504041ae

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • 9Aa8t2BpXw.exe (PID: 7016 cmdline: "C:\Users\user\Desktop\9Aa8t2BpXw.exe" MD5: 7DACE8A768BAC984B85CEF1ED5876D10)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 9Aa8t2BpXw.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: 9Aa8t2BpXw.exeVirustotal: Detection: 14%Perma Link
Source: 9Aa8t2BpXw.exeReversingLabs: Detection: 21%
Source: 9Aa8t2BpXw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

System Summary

barindex
PE file has a writeable .text section
Source: 9Aa8t2BpXw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 9Aa8t2BpXw.exe, 00000000.00000000.1632805996.0000000000405000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepConfigLanguage.EXEJ vs 9Aa8t2BpXw.exe
Source: 9Aa8t2BpXw.exeBinary or memory string: OriginalFilenamepConfigLanguage.EXEJ vs 9Aa8t2BpXw.exe
Source: 9Aa8t2BpXw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal60.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 9Aa8t2BpXw.exeVirustotal: Detection: 14%
Source: 9Aa8t2BpXw.exeReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9Aa8t2BpXw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
9Aa8t2BpXw.exe15%VirustotalBrowse
9Aa8t2BpXw.exe22%ReversingLabsWin32.Trojan.Generic
9Aa8t2BpXw.exe100%AviraTR/Patched.Ren.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1466765
Start date and time:2024-07-03 11:16:27 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:9Aa8t2BpXw.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:e311311e87b139aba78af0501e1efccfc1b2a892e8527a8f424bfca2504041ae
Detection:MAL
Classification:mal60.winEXE@1/0@0/0
Cookbook Comments:
  • Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):3.0354469617074753
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:9Aa8t2BpXw.exe
File size:24'576 bytes
MD5:7dace8a768bac984b85cef1ed5876d10
SHA1:39decd456c18d95d36d23f644ae9eaccef10b125
SHA256:e311311e87b139aba78af0501e1efccfc1b2a892e8527a8f424bfca2504041ae
SHA512:5484cd17dac8679d1cb6b040ee484074b44bc8bf89751d23862484328e1e86062425c624270383cb5688a233ae824deac7b4b4c577ef136b70a4cbfecb6f0fa9
SSDEEP:192:jnvJd17RgnXzjTBigO2JhgTfqJm1oynP4aE:jBv+XzfqwgTF1x4b
TLSH:1CB2B71EAA914666DAE18A3016BF1F375575EC230E3987D71F04FE0C2832152AE3331E
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P...>...>...>.Q.c...>.Q.0...>...4...>...:...>...:...>...?.B.>...5...>...8...>.Rich..>.........PE..L....h.W................. .

File Icon

Icon Hash:71b018dccec77331

Static PE Info

General

Entrypoint:0x401eee
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x577F689D [Fri Jul 8 08:47:25 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f89bbb768d753291c8f3d2c681f78e94

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00403650h
push 00402074h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004031F4h]
pop ecx
or dword ptr [00404200h], FFFFFFFFh
or dword ptr [00404204h], FFFFFFFFh
call dword ptr [004031F0h]
mov ecx, dword ptr [004041F4h]
mov dword ptr [eax], ecx
call dword ptr [004031ECh]
mov ecx, dword ptr [004041F0h]
mov dword ptr [eax], ecx
mov eax, dword ptr [004031E8h]
mov eax, dword ptr [eax]
mov dword ptr [004041FCh], eax
call 00007FB5C4DC5A8Bh
cmp dword ptr [00404100h], ebx
jne 00007FB5C4DC597Eh
push 00402070h
call dword ptr [004031E4h]
pop ecx
call 00007FB5C4DC5A5Dh
push 00404014h
push 00404010h
call 00007FB5C4DC5A48h
mov eax, dword ptr [004041ECh]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [004041E8h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004031DCh]
push 0040400Ch
push 00404000h
call 00007FB5C4DC5A15h

Rich Headers

Programming Language:
  • [C++] VS98 (6.0) SP6 build 8804
  • [EXP] VC++ 6.0 SP5 build 8804

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x38500x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x50000xb28.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x30000x250.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x12a10x20006e7ecf9393cf4256f06e2ab23bc68da8False0.3182373046875data3.972879483466224IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x30000xd440x1000818392e7c6b560c87bda558658bb4cabFalse0.319580078125data4.374278148766708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data0x40000x2080x1000620ad1f8916a0ca4fa622789835990a6False0.03662109375data0.5152118350094104IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x50000x10000x10000f5032620299533e2938b9a3415bf0d4False0.257568359375data2.6025868653035547IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x51e00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512ChineseChina0.33064516129032256
RT_ICON0x54c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128ChineseChina0.4391891891891892
RT_DIALOG0x56180xf6dataChineseChina0.6666666666666666
RT_DIALOG0x57100x9edataChineseChina0.6708860759493671
RT_STRING0x5ad00x52dataChineseChina0.7195121951219512
RT_GROUP_ICON0x55f00x22dataChineseChina1.0
RT_VERSION0x57b00x320dataChineseChina0.46875

Imports

DLLImport
MFC42.DLL
MSVCRT.dll__getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, exit, _XcptFilter, _exit, _onexit, __dllonexit, _mbscmp, __CxxFrameHandler, _setmbcp, _acmdln
KERNEL32.dllGetPrivateProfileStringA, WritePrivateProfileStringA, GetModuleFileNameA, GetModuleHandleA, GetStartupInfoA, GetPrivateProfileIntA
USER32.dllGetSystemMenu, SendMessageA, DrawIcon, GetClientRect, GetSystemMetrics, IsIconic, EnableWindow, LoadIconA, AppendMenuA

Possible Origin

Language of compilation systemCountry where language is spokenMap
ChineseChina

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:05:17:13
Start date:03/07/2024
Path:C:\Users\user\Desktop\9Aa8t2BpXw.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\9Aa8t2BpXw.exe"
Imagebase:0x400000
File size:24'576 bytes
MD5 hash:7DACE8A768BAC984B85CEF1ED5876D10
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

No disassembly