Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf.zip

Overview

General Information

Sample name:MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf.zip
Analysis ID:1541056
MD5:a14b41b82281a4c086555697e0840e10
SHA1:cded974b252fbdf7ff9e55e1be828fb63fc524a9
SHA256:43ad7e42e5b60747230891c2fe5fec20cfb86f78cb41f32b24e280884635b793

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 6320 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean0.winZIP@1/0@0/0
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Rundll32		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1541056
    Start date and time:2024-10-24 11:02:28 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 3m 30s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:11
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf.zip
    Detection:CLEAN
    Classification:clean0.winZIP@1/0@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .zip

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf.zip

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    bg.microsoft.map.fastly.nethttp://74.248.121.8/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.comGet hashmaliciousUnknownBrowse
    • 199.232.214.172
    1863415243647.exeGet hashmaliciousAgentTeslaBrowse
    • 199.232.214.172
    11625182393171315806.jsGet hashmaliciousStrela DownloaderBrowse
    • 199.232.210.172
    68767783000729717.jsGet hashmaliciousStrela DownloaderBrowse
    • 199.232.210.172
    17233137582802518545.jsGet hashmaliciousStrela DownloaderBrowse
    • 199.232.210.172
    197524037151051602.jsGet hashmaliciousStrela DownloaderBrowse
    • 199.232.210.172
    https://t.co/yXelyYqHRkGet hashmaliciousUnknownBrowse
    • 199.232.210.172
    https://linkednnn.weebly.com/Get hashmaliciousUnknownBrowse
    • 199.232.214.172
    http://doddyfire.linkpc.net:10000/Get hashmaliciousUnknownBrowse
    • 199.232.214.172
    http://deliveryinfo-helpusps.org/Get hashmaliciousUnknownBrowse
    • 199.232.210.172

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Entropy (8bit):7.999822602275705
    TrID:
    • ZIP compressed archive (8000/1) 100.00%
    File name:MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf.zip
    File size:907'411 bytes
    MD5:a14b41b82281a4c086555697e0840e10
    SHA1:cded974b252fbdf7ff9e55e1be828fb63fc524a9
    SHA256:43ad7e42e5b60747230891c2fe5fec20cfb86f78cb41f32b24e280884635b793
    SHA512:0c79a3ce5899b3fcf564fe735cea651eda280e2eb42333eb45bcb40caa113d1ee62c5c06f38d343fc6fd6412bf5db01356e876fcc247a272a74d3f6f0f0421e4
    SSDEEP:24576:xQxzDwAaiSbynEiU3o3O4/YqGt39gFo9Q1kQ7OwYJBaW:x4DRfSGE7U/HGt39CZ7NEBl
    TLSH:07153398F4561EC967648AE20C98A1D9C3D38042802B0ADE5D26DFFFB7D5118F436BDB
    File Content Preview:PK........BHXY.........V....$.Patch.exe.. ............e.%.....e.%.....e.%..S..52{..C....Gpn.Pv.b.^l...5..Q,!....=G....M......w..3..t1...hF.u..,...*..{c.....6Q..........{I'H...jl<.r.."..q.......Z.S.R.t..........iQ.....M...}3..CW.tm.`a.W.4.-.X....$>...\N...

    File Icon

    Icon Hash:1c1c1e4e4ececedc

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Oct 24, 2024 11:03:00.695859909 CEST1.1.1.1192.168.2.160x20dcNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
    Oct 24, 2024 11:03:00.695859909 CEST1.1.1.1192.168.2.160x20dcNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:05:03:04
    Start date:24/10/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    Imagebase:0x7ff70d8f0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    No disassembly