Windows
Analysis Report
TavernWorker.exe
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
TavernWorker.exe (PID: 6600 cmdline:
"C:\Users\ user\Deskt op\TavernW orker.exe" MD5: 4F6FCCAC4AEBF9F5A9E46909D81D3FAB)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Abuse Elevation Control Mechanism | 1 Abuse Elevation Control Mechanism | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1483025 |
Start date and time: | 2024-07-26 14:19:58 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 18s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | TavernWorker.exe |
Detection: | MAL |
Classification: | mal52.evad.winEXE@1/1@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe - Excluded domains from analysis
(whitelisted): client.wns.win dows.com - VT rate limit hit for: Tavern
Worker.exe
Process: | C:\Users\user\Desktop\TavernWorker.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 648 |
Entropy (8bit): | 7.435306483065724 |
Encrypted: | false |
SSDEEP: | 12:Bpk3oPhkt0q+Wpk3oPhkt0l2+iHfOUFpk3oPhkt0YkPfU6EYA/j37:BpaRtB+WpaRtNJPpaRtpkPfUrPj37 |
MD5: | 95B1B017EF40626A7349E7F2EB0D266E |
SHA1: | A5B4AA03320EF4B06D52B03629A4BA3DFE9C6D33 |
SHA-256: | A583389268DD2697E4E89E098D331173D29B9DB632F14BA98D53B3FEFEBFD1FA |
SHA-512: | 6E354D7857B3A87E1805FBC73AC8B2C060031563587B1DED9DE2CDAEFFD5E973EB3EE2525B378349113593769E7DBCACB154057634E38285ADAE75C8C24AC46A |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.79430846166827 |
TrID: |
|
File name: | TavernWorker.exe |
File size: | 26'065'328 bytes |
MD5: | 4f6fccac4aebf9f5a9e46909d81d3fab |
SHA1: | e28b55e9cbbb9cba1f6cd8a08ffcd426e5d7331d |
SHA256: | e236ef1eebc1623fe23ec12b60df20bd36211a18a0e3279373eec6acfe530be7 |
SHA512: | d132efa063f0b41c9a59f78540ae167053f16d724974b1a57f1d778a2bd12809b43c483ee8eafc33d43a3dbadee1104909afa3e165fcb6603e5b29f94a899fde |
SSDEEP: | 393216:rZOhaWe6nHXCVetIm7os+0zV15v/9Eg5usqV3qNcTak8i:rWaWe0CMtImksvD5XcHgNcX8i |
TLSH: | 9E47238A66E9F2D8C7C214B4364645D630C4A8AE90FE49343ECB5C03B634D6F559EEF2 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...d".f..........#.......]...D.......}........@.............................@......>..... ................................ |
Icon Hash: | 1731d0d4e8313317 |
Entrypoint: | 0x1417dead8 |
Entrypoint Section: | .q#9, |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66A22264 [Thu Jul 25 10:01:08 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 5c680ccbcf1f2b39a51841f631a253a6 |
Signature Valid: | true |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 1447BEC63833F8FDFD6DA1C68E6EBD71 |
Thumbprint SHA-1: | F75A97056BE27687A9566D8990E0195DEEBAED26 |
Thumbprint SHA-256: | F8271ABF570275983924AAE705493F0C230515048AED3B990668710133C40E5F |
Serial: | 0B2ABADED1E199A4C9696D4013C51CBB |
Instruction |
---|
call 00007F5048E0419Fh |
je 00007F5048D6E353h |
sub dh, byte ptr [edx-1Dh] |
cmp byte ptr [edi-75h], dh |
pop esi |
retn F347h |
scasb |
popfd |
jnp 00007F5048D6E2DEh |
mov bp, ds |
mov edi, C1142F0Ch |
inc ecx |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x27687f0 | 0x17c | .q#9, |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x30ad000 | 0x6f65 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x30732f0 | 0x39300 | .q#9, |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x18d9000 | 0x29b0 | .q#9, |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x17e34a0 | 0x28 | .q#9, |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x30731b0 | 0x138 | .q#9, |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x17da000 | 0x120 | .v>'I |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5d7e58 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x5d9000 | 0x24752c | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x821000 | 0x1c20c8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x9e4000 | 0x38d18 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_RDATA | 0xa1d000 | 0xf4 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
CPADinfo | 0xa1e000 | 0x38 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
. dB/ | 0xa1f000 | 0xdba9b2 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.v>'I | 0x17da000 | 0x1538 | 0x1600 | 61c0b4e86b8ffb519ef5e50e7c75126c | False | 0.02361505681818182 | data | 0.15607580838853874 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.q#9, | 0x17dc000 | 0x18d05f0 | 0x18d0600 | 7d468632aeb8ab6fa07d854523c07fd1 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x30ad000 | 0x6f65 | 0x7000 | caa7738631c2839e4b73fbd78b293f2f | False | 0.51220703125 | data | 5.435679114946002 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x30ad1f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | Korean | North Korea | 0.41400709219858156 |
RT_ICON | 0x30ad1f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | Korean | South Korea | 0.41400709219858156 |
RT_ICON | 0x30ad658 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | Korean | North Korea | 0.34508196721311474 |
RT_ICON | 0x30ad658 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | Korean | South Korea | 0.34508196721311474 |
RT_ICON | 0x30adfe0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | Korean | North Korea | 0.2875234521575985 |
RT_ICON | 0x30adfe0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | Korean | South Korea | 0.2875234521575985 |
RT_ICON | 0x30af088 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | Korean | North Korea | 0.2103734439834025 |
RT_ICON | 0x30af088 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | Korean | South Korea | 0.2103734439834025 |
RT_ICON | 0x30b1630 | 0x242c | PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced | Korean | North Korea | 0.9951403887688985 |
RT_ICON | 0x30b1630 | 0x242c | PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced | Korean | South Korea | 0.9951403887688985 |
RT_GROUP_ICON | 0x30b3a60 | 0x4c | data | Korean | North Korea | 0.7763157894736842 |
RT_GROUP_ICON | 0x30b3a60 | 0x4c | data | Korean | South Korea | 0.7763157894736842 |
RT_VERSION | 0x30b3ab0 | 0x334 | data | Korean | North Korea | 0.43414634146341463 |
RT_VERSION | 0x30b3ab0 | 0x334 | data | Korean | South Korea | 0.43414634146341463 |
RT_MANIFEST | 0x30b3de8 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
KERNEL32.dll | GetVersion |
USER32.dll | GetSystemMetrics |
ADVAPI32.dll | OpenProcessToken |
SHELL32.dll | SHCreateDirectoryExW |
ole32.dll | CoSetProxyBlanket |
OLEAUT32.dll | SysFreeString |
VERSION.dll | GetFileVersionInfoA |
Secur32.dll | FreeContextBuffer |
d3d11.dll | D3D11CreateDevice |
WININET.dll | InternetOpenUrlW |
VCOMP140.DLL | _vcomp_for_dynamic_next |
WS2_32.dll | WSAStartup |
bcrypt.dll | BCryptGetProperty |
USERENV.dll | GetUserProfileDirectoryW |
dbghelp.dll | SymInitialize |
WINHTTP.dll | WinHttpOpenRequest |
CRYPT32.dll | CertFreeCertificateChainEngine |
ncrypt.dll | NCryptImportKey |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Korean | North Korea | |
Korean | South Korea | |
English | United States |
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 08:20:48 |
Start date: | 26/07/2024 |
Path: | C:\Users\user\Desktop\TavernWorker.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x140000000 |
File size: | 26'065'328 bytes |
MD5 hash: | 4F6FCCAC4AEBF9F5A9E46909D81D3FAB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |