Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EngMain9.exe

Overview

General Information

Sample name:EngMain9.exe
Analysis ID:1559378
MD5:7bd6cb707b9a6ae6c97fe46dc6edce2d
SHA1:1bf3dc9b6ea612d099034b6f97363e8eaf6821cc
SHA256:aee096366697a928ab7ce6d6ffb8d08de100561aacd3b49148cb890042134a0f

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Machine Learning detection for sample
Program does not show much activity (idle)
Uses 32bit PE files

Classification

  • System is w10x64
  • EngMain9.exe (PID: 1352 cmdline: "C:\Users\user\Desktop\EngMain9.exe" MD5: 7BD6CB707B9A6AE6C97FE46DC6EDCE2D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Source: EngMain9.exeJoe Sandbox ML: detected
Source: EngMain9.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: EngMain9.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: EngMain9.exeBinary or memory string: @pK*\AE:\2015Upgrades\MP3s\Grade10MP3\Gr9Eng\MenuForms\EngMain\EngMain9.vbp
Source: EngMain9.exe, 00000000.00000002.3289855042.00000000004B7000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: B*\AE:\2015Upgrades\MP3s\Grade10MP3\Gr9Eng\MenuForms\EngMain\EngMain9.vbp
Source: classification engineClassification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\EngMain9.exeMutant created: NULL
Source: EngMain9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\EngMain9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: asycfilt.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\EngMain9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping1
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
EngMain9.exe5%ReversingLabs
EngMain9.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1559378
Start date and time:2024-11-20 13:07:42 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 35s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:EngMain9.exe
Detection:MAL
Classification:mal48.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • VT rate limit hit for: EngMain9.exe
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):5.164073248071044
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.15%
  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:EngMain9.exe
File size:757'760 bytes
MD5:7bd6cb707b9a6ae6c97fe46dc6edce2d
SHA1:1bf3dc9b6ea612d099034b6f97363e8eaf6821cc
SHA256:aee096366697a928ab7ce6d6ffb8d08de100561aacd3b49148cb890042134a0f
SHA512:998ba0cbb47632e0432cc1bbd8a953257c81c6e61688514a446b7f02c3546f486f5c48f7a90ad8a6587a1c00e86b1901fa6ae7ee631e81bb7494f7443b499086
SSDEEP:12288:YImFvInIGL0PRjIhPREPRWPR4LxLNI/L:WQL0JMJEJWJ4LxL6L
TLSH:FAF48223B16DD892E5238A31CDF6E7FF40153D22FEA49AC77454374FB9B6A822521132
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.y.|...r...{...r.......r.Rich..r.........PE..L...-..Y.................`.........., .......p....@................
Icon Hash:00869eb0b230201f
Entrypoint:0x40202c
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x59B28F2D [Fri Sep 8 12:38:05 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:0c5669d71e5b08d3dbf8498b6cf12af0
Instruction
push 0040F000h
call 00007F0E2CE9C895h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, cl
and ah, byte ptr [ecx+2B0AC1C0h]
dec edi
wait
xchg eax, edi
insb
dec ebp
retn 0B69h
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
xor byte ptr [edx], dh
xor byte ptr [ebx+esi], dh
xor byte ptr [eax+72h], dl
outsd
push 00000065h
arpl word ptr [ecx+esi+00h], si
xor byte ptr [30303043h], ch
sub eax, 00000000h
dec esp
xor dword ptr [eax], eax
xor byte ptr [edi-6978345Eh], dl
call 00007F0EAC8016FDh
les eax, fword ptr [ebp+2DE5B1D1h]
stosd
arpl word ptr [esi+52h], cx
fsub dword ptr [edx+0Ch]
dec ecx
mov edx, F65C491Ah
inc esp
test al, 9Eh
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sub ecx, edi
add byte ptr [eax], al
dec edx
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [esi+72h], ah
insd
push eax
xor byte ptr [ecx], dh
add byte ptr [46000501h], cl
outsd
jc 00007F0E2CE9C90Fh
xor dword ptr [eax], eax
add edi, edi
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xb69740x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x8d4.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x10000x8c.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb5c240xb600099f9a5dfcced613c6e388c5f62acdb4cFalse0.26776190118475274data5.197480343091137IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xb70000x66f40x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0xbe0000x8d40x1000f0f755b9bd1026db5e68075987373f38False0.165283203125data1.932385502791597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xbe7a40x130Device independent bitmap graphic, 32 x 64 x 1, image size 2560.3223684210526316
RT_ICON0xbe4bc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.19623655913978494
RT_ICON0xbe3940x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.4155405405405405
RT_GROUP_ICON0xbe3640x30data1.0
RT_VERSION0xbe1500x214dataEnglishUnited States0.46616541353383456
DLLImport
MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarDup, _CIatan, _allmul, _CItan, _CIexp
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
No network behavior found

Click to jump to process

Click to jump to process

Target ID:0
Start time:07:08:33
Start date:20/11/2024
Path:C:\Users\user\Desktop\EngMain9.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\EngMain9.exe"
Imagebase:0x400000
File size:757'760 bytes
MD5 hash:7BD6CB707B9A6AE6C97FE46DC6EDCE2D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

No disassembly