Windows
Analysis Report
rpcnetp.exe
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
rpcnetp.exe (PID: 6884 cmdline:
"C:\Users\ user\Deskt op\rpcnetp .exe" MD5: 07A37FDA01A1342E428C4CEFA7050348)
- cleanup
- • AV Detection
- • Compliance
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00402EB2 |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00402B69 |
Source: | Code function: | 0_2_00402B69 | |
Source: | Code function: | 0_2_00A22B69 |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Code function: | 0_2_004014C3 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_004033F9 | |
Source: | Code function: | 0_2_00A233F9 |
Source: | File created: | Jump to dropped file |
Source: | Code function: | 0_2_00402B69 |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | API coverage: |
Source: | API call chain: | graph_0-2527 |
Source: | Code function: | 0_2_004014C3 |
Source: | Code function: | 0_2_00402BE1 | |
Source: | Code function: | 0_2_00A22BE1 |
Source: | Code function: | 0_2_00402810 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | 1 Valid Accounts | 2 Service Execution | 1 Valid Accounts | 1 Valid Accounts | 1 Masquerading | OS Credential Dumping | 2 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Native API | 3 Windows Service | 1 Access Token Manipulation | 1 Valid Accounts | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 3 Windows Service | 1 Access Token Manipulation | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 Process Injection | 1 Process Injection | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 1 DLL Side-Loading | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | ReversingLabs | |||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | ReversingLabs |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1514703 |
Start date and time: | 2024-09-20 22:12:01 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 53s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 1 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | rpcnetp.exe |
Detection: | MAL |
Classification: | mal48.winEXE@1/2@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- VT rate limit hit for: rpcnet
p.exe
Process: | C:\Users\user\Desktop\rpcnetp.exe |
File Type: | |
Category: | modified |
Size (bytes): | 17408 |
Entropy (8bit): | 5.808879156339454 |
Encrypted: | false |
SSDEEP: | 384:HSW9KAUkANjOqYrxPheuHThCA2Ff2UKiQzCc2GB:y+KAU3kqYrxPhp9CA2cUKimCc2GB |
MD5: | C10DE8CB09BFA8DDF3EA7474E7FBA07A |
SHA1: | 1AB13607E151F3AD4CE6D744C8E0D99773AE12F7 |
SHA-256: | 56C9AB9A663AF6AF931B3C76F32ED0F7402D6ED39F3538F72CB2757886EF7C40 |
SHA-512: | D158348EF6064739652FCB255AD94DF1002966126EB856A612D9360FC959BACED5165B233AF2CAFAA64C785899DB90D29BFD62878DACDD667748935C6AB294B3 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\rpcnetp.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 5.8086863475255415 |
TrID: |
|
File name: | rpcnetp.exe |
File size: | 17'408 bytes |
MD5: | 07a37fda01a1342e428c4cefa7050348 |
SHA1: | 57e62bd4fc61327bc744c10ca71b0e340a46a4c9 |
SHA256: | 1c6a20980a186225979f5e91bc48eaf77c67f50eea85eba9db4c3ec55c61d55f |
SHA512: | 454284f58696f402b743689826dee08356b600fc46944e2ed193ae1b08ca89584c30b96ca3f301b89e878abd8d8cac14ac0b1e163bc01854075fc9af671c35f9 |
SSDEEP: | 384:SW9KAUkANjOqYrxPheuHThCA2Ff2UKiQzCc2GB:S+KAU3kqYrxPhp9CA2cUKimCc2GB |
TLSH: | FB724C93FA9449F3D64206346C913E665FBEA6740C15ED67CE005E883EBE58395FC213 |
File Content Preview: | MZ.............j........@...................................H....j......PE..L....O.O.................6...........+.......P....@..................................................................D..F...T=..x............................p..8.................. |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x402b15 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4FC64FC6 [Wed May 30 16:50:14 2012 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | ff5b6a43b1b731f25aeef3f8dca9cae0 |
Instruction |
---|
push ebp |
mov ebp, esp |
push esi |
mov esi, 00405004h |
xor eax, eax |
cmp dword ptr [esi], eax |
jne 00007FC38862AE5Fh |
push eax |
call dword ptr [004010B4h] |
mov ecx, dword ptr [ebp+08h] |
jecxz 00007FC38862AE62h |
cmp eax, ecx |
je 00007FC38862AE5Eh |
mov dword ptr [esi], ecx |
push eax |
push dword ptr [00401244h] |
push ecx |
call dword ptr [004010D0h] |
cmp eax, 0040356Ch |
pop eax |
jne 00007FC38862AE46h |
call 00007FC38862AE75h |
mov eax, 00000001h |
mov dword ptr [0040504Ch], eax |
pop esi |
leave |
retn 000Ch |
mov dword ptr [esi], eax |
pop esi |
leave |
jmp 00007FC38862AADCh |
push 00405140h |
call dword ptr [00401020h] |
mov eax, dword ptr [0040510Ch] |
ret |
push ebp |
mov ebp, esp |
lea eax, dword ptr [ebp+08h] |
push eax |
push 00000001h |
push 00000000h |
push 00000003h |
call dword ptr [004010E4h] |
pop ebp |
retn 0004h |
mov dword ptr [00406238h], 00402810h |
ret |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
dec eax |
je 00007FC38862AE50h |
sub eax, 04h |
je 00007FC38862AE4Bh |
push dword ptr [00405114h] |
push dword ptr [00405118h] |
push dword ptr [00405104h] |
call 00007FC38862AD59h |
jmp 00007FC38862AE4Ch |
push 00000000h |
push 00001388h |
push 00000003h |
call 00007FC38862AD49h |
push dword ptr [00405044h] |
call dword ptr [004010A8h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x44a0 | 0x46 | .text |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3d54 | 0x78 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7000 | 0x338 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x14c | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x34e6 | 0x3600 | 1c3941e5863b3bd163c1bce13607daab | False | 0.6011284722222222 | data | 6.246196243264917 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x5000 | 0x1b8 | 0x200 | 2ad0e26745cf41740bf80e24c720c4dc | False | 0.1171875 | data | 0.4456029195603677 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.cdata | 0x6000 | 0x23c | 0x400 | 45b527c09be9e5e1c192f6686654c5ec | False | 0.1669921875 | data | 1.3625095134733607 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x7000 | 0x338 | 0x400 | 0784c2b1e1f9f540ef7808beba6681e4 | False | 0.7490234375 | data | 5.808753726161884 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
ADVAPI32.dll | CreateProcessAsUserA, RegisterServiceCtrlHandlerA, OpenProcessToken, RegQueryValueExA, RegDeleteValueA, DuplicateTokenEx, RegCloseKey, RegOpenKeyA, StartServiceCtrlDispatcherA, SetServiceStatus, RegEnumValueA, SetTokenInformation |
KERNEL32.dll | CreateRemoteThread, LocalAlloc, SetThreadPriority, CloseHandle, LoadLibraryA, RtlUnwind, VirtualAllocEx, FreeLibrary, SetStdHandle, GetStdHandle, GetBinaryTypeA, ResumeThread, CreateProcessA, LocalFree, VirtualFreeEx, EnterCriticalSection, CreateFileA, TerminateProcess, lstrlenA, GetCurrentThreadId, CopyFileA, WriteProcessMemory, WaitForSingleObject, TerminateThread, Sleep, OpenProcess, GetSystemDirectoryA, DeleteCriticalSection, InitializeCriticalSection, SetEvent, ExitProcess, GetVersion, GetModuleHandleA, GetCurrentProcessId, LeaveCriticalSection, CreateEventA, ResetEvent, ExitThread, CreateThread, GetProcAddress, lstrcatA, ReadProcessMemory, WaitForMultipleObjects, lstrcpyA, RaiseException, lstrcmpiA, WriteFile, SetFilePointer, GetModuleFileNameA, GetExitCodeThread |
USER32.dll | CreateWindowExA, SetTimer, GetMessageA, TranslateMessage, RegisterClassA, KillTimer, DispatchMessageA, PostMessageA, PostThreadMessageA, PeekMessageA, PostQuitMessage, wsprintfA, DefWindowProcA |
USERENV.dll | CreateEnvironmentBlock |
WSOCK32.dll | ioctlsocket, inet_addr |
Name | Ordinal | Address |
---|---|---|
rpcnetp | 1 | 0x40356c |
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 16:12:51 |
Start date: | 20/09/2024 |
Path: | C:\Users\user\Desktop\rpcnetp.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 17'408 bytes |
MD5 hash: | 07A37FDA01A1342E428C4CEFA7050348 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 2.3% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 15.3% |
Total number of Nodes: | 679 |
Total number of Limit Nodes: | 3 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|