Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
malo.zip

Overview

General Information

Sample name:malo.zip
Analysis ID:1559386
MD5:64fc74457495cd5c7e59758845edb6f5
SHA1:2dbb710f729dae3c4f3380c95cbd5c6f1c9eddb4
SHA256:2fbd7b6a51a92c49809212abe6d6821d72ad45c62eb0d1c0b8634a36581125cb

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)

Classification

  • System is w10x64_ra
  • rundll32.exe (PID: 6248 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Binary string: D:\project\LADM\Drivers\Trunk\AutoInstall\x64\Release\UDCC Launcher.pdb source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\Output\AutoInstall\Libs\UiLib_d_x64.pdbh source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\project\LADM\Drivers\Trunk\AutoInstall\x64\Release\UDCC Launcher.pdb< source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\Output\AutoInstall\Libs\UiLib_d_x64.pdb source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://ocsp.digicert.com0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: classification engineClassification label: clean0.winZIP@1/0@0/0
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: malo.zipStatic file information: File size 2731255 > 1048576
Source: Binary string: D:\project\LADM\Drivers\Trunk\AutoInstall\x64\Release\UDCC Launcher.pdb source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\Output\AutoInstall\Libs\UiLib_d_x64.pdbh source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\project\LADM\Drivers\Trunk\AutoInstall\x64\Release\UDCC Launcher.pdb< source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\Output\AutoInstall\Libs\UiLib_d_x64.pdb source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Rundll32
OS Credential Dumping1
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1559386
Start date and time:2024-11-20 13:22:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 15s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:malo.zip
Detection:CLEAN
Classification:clean0.winZIP@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .zip
  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, svchost.exe, SearchApp.exe
  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, r.bing.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • VT rate limit hit for: malo.zip
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):7.996505283606878
TrID:
  • ZIP compressed archive (8000/1) 100.00%
File name:malo.zip
File size:2'731'255 bytes
MD5:64fc74457495cd5c7e59758845edb6f5
SHA1:2dbb710f729dae3c4f3380c95cbd5c6f1c9eddb4
SHA256:2fbd7b6a51a92c49809212abe6d6821d72ad45c62eb0d1c0b8634a36581125cb
SHA512:6c1a564bfbc569294c10942d594476dbf6155abc2ce621c6aeecfedf4b56f97424b2e707468d95df4c72d8a36dc3074049f728a8f5e60a2bde2d3a1cf0a33b96
SSDEEP:49152:ArRN3iKAz66lbsHOZKTIcUuWx3UY27BQRZp5TFKavVK0iBRfaUHzM+:kRN3Iz6CbkILbuWFz2l+ZpNFKahiBRSO
TLSH:4FC533460EB1034E9D24A67B4D4F0072E99DB481FFBAD57D8A348F7E63B0048526D6AF
File Content Preview:PK.........QtY...?....@.?.D...adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe...tTE...&@H..Q..%.YE6.jP..Ew....jT.(...(.FE.%h.C4(h.U..x.(..9.......wT..............$.o...6O................j.c............q........]......s..?fX..........k
Icon Hash:1c1c1e4e4ececedc
No network behavior found

Click to jump to process

Click to jump to process

Target ID:0
Start time:07:22:36
Start date:20/11/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:0x7ff7fc9c0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

No disassembly