Windows
Analysis Report
EngMain9.exe
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- EngMain9.exe (PID: 1352 cmdline:
"C:\Users\ user\Deskt op\EngMain 9.exe" MD5: 7BD6CB707B9A6AE6C97FE46DC6EDCE2D)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Process information set: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | ReversingLabs | |||
100% | Joe Sandbox ML |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1559378 |
Start date and time: | 2024-11-20 13:07:42 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | EngMain9.exe |
Detection: | MAL |
Classification: | mal48.winEXE@1/0@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- VT rate limit hit for: EngMain9.exe
File type: | |
Entropy (8bit): | 5.164073248071044 |
TrID: |
|
File name: | EngMain9.exe |
File size: | 757'760 bytes |
MD5: | 7bd6cb707b9a6ae6c97fe46dc6edce2d |
SHA1: | 1bf3dc9b6ea612d099034b6f97363e8eaf6821cc |
SHA256: | aee096366697a928ab7ce6d6ffb8d08de100561aacd3b49148cb890042134a0f |
SHA512: | 998ba0cbb47632e0432cc1bbd8a953257c81c6e61688514a446b7f02c3546f486f5c48f7a90ad8a6587a1c00e86b1901fa6ae7ee631e81bb7494f7443b499086 |
SSDEEP: | 12288:YImFvInIGL0PRjIhPREPRWPR4LxLNI/L:WQL0JMJEJWJ4LxL6L |
TLSH: | FAF48223B16DD892E5238A31CDF6E7FF40153D22FEA49AC77454374FB9B6A822521132 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.y.|...r...{...r.......r.Rich..r.........PE..L...-..Y.................`.........., .......p....@................ |
Icon Hash: | 00869eb0b230201f |
Entrypoint: | 0x40202c |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x59B28F2D [Fri Sep 8 12:38:05 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 0c5669d71e5b08d3dbf8498b6cf12af0 |
Instruction |
---|
push 0040F000h |
call 00007F0E2CE9C895h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add cl, cl |
and ah, byte ptr [ecx+2B0AC1C0h] |
dec edi |
wait |
xchg eax, edi |
insb |
dec ebp |
retn 0B69h |
dec eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
xor byte ptr [edx], dh |
xor byte ptr [ebx+esi], dh |
xor byte ptr [eax+72h], dl |
outsd |
push 00000065h |
arpl word ptr [ecx+esi+00h], si |
xor byte ptr [30303043h], ch |
sub eax, 00000000h |
dec esp |
xor dword ptr [eax], eax |
xor byte ptr [edi-6978345Eh], dl |
call 00007F0EAC8016FDh |
les eax, fword ptr [ebp+2DE5B1D1h] |
stosd |
arpl word ptr [esi+52h], cx |
fsub dword ptr [edx+0Ch] |
dec ecx |
mov edx, F65C491Ah |
inc esp |
test al, 9Eh |
cmp cl, byte ptr [edi-53h] |
xor ebx, dword ptr [ecx-48EE309Ah] |
or al, 00h |
stosb |
add byte ptr [eax-2Dh], ah |
xchg eax, ebx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
sub ecx, edi |
add byte ptr [eax], al |
dec edx |
add byte ptr [eax], al |
add byte ptr [eax], al |
push es |
add byte ptr [esi+72h], ah |
insd |
push eax |
xor byte ptr [ecx], dh |
add byte ptr [46000501h], cl |
outsd |
jc 00007F0E2CE9C90Fh |
xor dword ptr [eax], eax |
add edi, edi |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb6974 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xbe000 | 0x8d4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x8c | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xb5c24 | 0xb6000 | 99f9a5dfcced613c6e388c5f62acdb4c | False | 0.26776190118475274 | data | 5.197480343091137 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0xb7000 | 0x66f4 | 0x1000 | 620f0b67a91f7f74151bc5be745b7110 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xbe000 | 0x8d4 | 0x1000 | f0f755b9bd1026db5e68075987373f38 | False | 0.165283203125 | data | 1.932385502791597 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xbe7a4 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 256 | 0.3223684210526316 | ||
RT_ICON | 0xbe4bc | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.19623655913978494 | ||
RT_ICON | 0xbe394 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | 0.4155405405405405 | ||
RT_GROUP_ICON | 0xbe364 | 0x30 | data | 1.0 | ||
RT_VERSION | 0xbe150 | 0x214 | data | English | United States | 0.46616541353383456 |
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaFreeVar, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarDup, _CIatan, _allmul, _CItan, _CIexp |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 07:08:33 |
Start date: | 20/11/2024 |
Path: | C:\Users\user\Desktop\EngMain9.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 757'760 bytes |
MD5 hash: | 7BD6CB707B9A6AE6C97FE46DC6EDCE2D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |