Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
fontdrvhost.exe

Overview

General Information

Sample name:fontdrvhost.exe
Analysis ID:1491788
MD5:ee70bd5cb31bb41dc6731979aa0fea6a
SHA1:520e94e047855242c4d2a80649bbd0f816af90e5
SHA256:f9e40584676d5e3f4320eccef070436d765cf4f668121b3bd14c9f50747fb2b4

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Binary contains a suspicious time stamp
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • fontdrvhost.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\fontdrvhost.exe" MD5: EE70BD5CB31BB41DC6731979AA0FEA6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: fontdrvhost.exeStatic PE information: certificate valid
Source: fontdrvhost.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: fontdrvhost.pdbUGP source: fontdrvhost.exe
Source: Binary string: fontdrvhost.pdb source: fontdrvhost.exe
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: fontdrvhost.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\fontdrvhost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: fontdrvhost.exeStatic PE information: certificate valid
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: fontdrvhost.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: fontdrvhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: fontdrvhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: fontdrvhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: fontdrvhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: fontdrvhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: fontdrvhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: fontdrvhost.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: fontdrvhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: fontdrvhost.pdbUGP source: fontdrvhost.exe
Source: Binary string: fontdrvhost.pdb source: fontdrvhost.exe
Source: fontdrvhost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: fontdrvhost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: fontdrvhost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: fontdrvhost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: fontdrvhost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: fontdrvhost.exeStatic PE information: 0xA863BA21 [Fri Jul 11 00:13:21 2059 UTC]
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Timestomp		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1491788 Sample: fontdrvhost.exe Startdate: 12/08/2024 Architecture: WINDOWS Score: 1 4 fontdrvhost.exe 2->4         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fontdrvhost.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1491788
Start date and time:2024-08-12 20:16:50 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:fontdrvhost.exe
Detection:CLEAN
Classification:clean1.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
  • VT rate limit hit for: fontdrvhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.559257279891314
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:fontdrvhost.exe
File size:835'272 bytes
MD5:ee70bd5cb31bb41dc6731979aa0fea6a
SHA1:520e94e047855242c4d2a80649bbd0f816af90e5
SHA256:f9e40584676d5e3f4320eccef070436d765cf4f668121b3bd14c9f50747fb2b4
SHA512:35b7e86dd6a41711e9e82291c91b14589cd832d4b7af5668aef524b30fb003f8c02204281003b8115abe40b3551da45d1d2cc421b4a7a0e8d284ffed85d7b2bb
SSDEEP:24576:94co9L1uqvGZ9tEJe1pp3jubvC8IuA7G5:94co9L1ujZ9tsSpUDIuA7i
TLSH:8F05AD49FBA842E1C477C078C6426B1BFAB6746903649ACBC6D086AD6F13FF45A3D311
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qC..5"..5"..5"..<Z..="..!I..<"..!I..6"..!I..:"..5"...&..!I..B"..!I..+"..!I~.4"..!I|.4"..!I..4"..Rich5"..........PE..d...!.c....

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x140031c50
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0xA863BA21 [Fri Jul 11 00:13:21 2059 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:b77fc40bd3ab3d336aead1e8bef09745

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 16/11/2023 19:20:09 14/11/2024 19:20:09
Subject Chain
  • CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:9B7554FFA2D97FE692CB10D7B2E315A7
Thumbprint SHA-1:D8FB0CC66A08061B42D46D03546F0D42CBC49B7C
Thumbprint SHA-256:2D7FFCE2C256016291B67285456AA8DA779D711BBF8E6B85C212A157DDFBE77E
Serial:3300000460CF42A912315F6FB3000000000460
Instruction
dec eax
sub esp, 28h
call 00007FCBFCBC8810h
dec eax
add esp, 28h
jmp 00007FCBFCBC8363h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [0008E0E9h]
jne 00007FCBFCBC8515h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FCBFCBC8505h
ret
dec eax
ror ecx, 10h
jmp 00007FCBFCBC8C34h
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FCBFCBC902Ch
test eax, eax
je 00007FCBFCBC8523h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FCBFCBC8507h
dec eax
cmp ecx, eax
je 00007FCBFCBC8516h
xor eax, eax
dec eax
cmpxchg dword ptr [0008E7E4h], ecx
jne 00007FCBFCBC84F0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FCBFCBC84F9h
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [0008E7FCh]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [0008E7ECh], al
call 00007FCBFCBC8E4Fh
call 00007FCBFCBC8846h
test al, al
jne 00007FCBFCBC8506h
xor al, al
jmp 00007FCBFCBC8516h
Programming Language:
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xb98b80xb4.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xcd0000x410.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc60000x6ca8.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0xc7c000x42c8.pdata
IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000x1020.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xa4b700x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa10d00x118.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xa2ad00x508.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x9fe500xa0000244c35e6d1bf56ed55d1add064af5fdbFalse0.5693344116210938data6.473265635780701IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xa10000x19aea0x19c0023b83410a2309da4c2164f5e4b2b6a95False0.47515928398058255data5.969838650831439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xbb0000xacc40x560011ec410e36176d3ce021f2d3713e66beFalse0.28147710755813954data3.6529823123865253IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0xc60000x6ca80x6e000b4c09c4d6240d309a73120be33392a8False0.5063210227272728data5.847139130736544IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xcd0000x4100x6009dc67913fbff23a23cb42b720305928dFalse0.3111979166666667data2.513229972851933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xce0000x10200x1200015826be78ba2bef06001ff9d642ad05False0.2916666666666667data5.176061599653244IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0xcd0600x3b0dataEnglishUnited States0.4597457627118644
DLLImport
msvcp_win.dll?_Xlength_error@std@@YAXPEBD@Z
api-ms-win-crt-runtime-l1-1-0.dll_register_thread_local_exe_atexit_callback, _c_exit, _initterm_e, _initterm
api-ms-win-crt-private-l1-1-0.dll_o__callnewh, _o__cexit, _o__configthreadlocale, _o__configure_narrow_argv, _o__crt_atexit, _o__errno, _o__exit, _o__get_initial_narrow_environment, _o__initialize_narrow_environment, _o__initialize_onexit_table, _o__invalid_parameter_noinfo, _o__invalid_parameter_noinfo_noreturn, _o__itow, _o__lfind, _o__purecall, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, memmove, _o__stricmp, _o__strlwr, _o__wcsicmp, _o__wcsnicmp, _o_atoi, _o_atol, _o_bsearch, _o_exit, _o_free, _o_isdigit, _o_islower, _o_iswdigit, _o_isxdigit, _o_malloc, _o_qsort, _o_rand, _o_rand_s, _o_realloc, _o_sqrt, _o_strtol, _o_terminate, wcschr, strchr, _o___stdio_common_vswprintf, _o___stdio_common_vsprintf, _o___stdio_common_vsnprintf_s, _o___stdio_common_vfprintf, _o___std_exception_destroy, _o___std_exception_copy, _o___p__commode, _o___p___argv, _o___p___argc, _o___acrt_iob_func, __C_specific_handler, wcsrchr, strstr, __CxxFrameHandler4, __std_terminate, __CxxFrameHandler3, _CxxThrowException, memcmp, memcpy
api-ms-win-crt-string-l1-1-0.dllmemset, strnlen, strcmp, strncmp, wcsncmp
KERNEL32.dllWideCharToMultiByte, GetACP, GetOEMCP, MapViewOfFile, CreateFileMappingW, TlsGetValue, SetFileInformationByHandle, GetFileInformationByHandle, MultiByteToWideChar, UnmapViewOfFile, DebugBreak, DeleteCriticalSection, CreateMutexExW, CreateThreadpoolTimer, SetThreadpoolTimer, CloseHandle, OpenSemaphoreW, WaitForSingleObjectEx, AcquireSRWLockExclusive, CloseThreadpoolTimer, OutputDebugStringW, ReleaseSRWLockExclusive, GetLastError, FormatMessageW, ReleaseMutex, WaitForSingleObject, WaitForThreadpoolTimerCallbacks, InitializeCriticalSectionEx, LeaveCriticalSection, GetModuleHandleExW, ReleaseSemaphore, EnterCriticalSection, CreateSemaphoreExW, GetModuleFileNameA, RtlRaiseException, MulDiv, ReleaseSRWLockShared, AcquireSRWLockShared, GetProcAddress, SetLastError, GlobalFree, GlobalAlloc, TerminateProcess, GetCurrentProcess, GetModuleHandleW, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, GetProcessHeap, ExitProcess, HeapAlloc, CreateThread, TlsAlloc, SetProcessMitigationPolicy, GetEnvironmentVariableW, InitializeCriticalSection, SetProcessShutdownParameters, WaitForMultipleObjects, HeapFree, TlsSetValue, InitOnceExecuteOnce, RaiseException
ADVAPI32.dllEventRegister, EventWriteTransfer, EventSetInformation
ntdll.dllRtlMultiByteToUnicodeN, RtlSetThreadWorkOnBehalfTicket, RtlClearThreadWorkOnBehalfTicket, RtlAllocateHeap, RtlUnicodeToMultiByteN
win32u.dllNtGdiExtEscape

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

02468s020406080100

Click to jump to process

Memory Usage

02468sMB

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:17:41
Start date:12/08/2024
Path:C:\Users\user\Desktop\fontdrvhost.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\fontdrvhost.exe"
Imagebase:0x7ff6b1c40000
File size:835'272 bytes
MD5 hash:EE70BD5CB31BB41DC6731979AA0FEA6A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

No disassembly