Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Sage.Eb.UniSign.Windows.exe

Overview

General Information

Sample name:Sage.Eb.UniSign.Windows.exe
Analysis ID:1560045
MD5:74a7aec99ca57c42ce99e3de83aef658
SHA1:ba13b7f129e96fa9bdc1c13f8b05d107289fac37
SHA256:e3f6aa0c441bb40ccb6b1c91ea8c9b4c4031be8584b39c6b2ae8a65035754ab1
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

  • System is w10x64_ra
  • Sage.Eb.UniSign.Windows.exe (PID: 2004 cmdline: "C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe" MD5: 74A7AEC99CA57C42CE99E3DE83AEF658)
    • conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 872 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Sage.Eb.UniSign.Windows.exeStatic PE information: certificate valid
Source: Sage.Eb.UniSign.Windows.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Sage.Eb.UniSign.Windows.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: O nPC:\Windows\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe, 00000000.00000002.1447558340.0000000001338000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.ni.pdbRSDSw source: WER5C54.tmp.dmp.5.dr
Source: Binary string: mscorlib.ni.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: \??\C:\Windows\symbols\exe\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe, 00000000.00000002.1447999928.00000000016D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe, 00000000.00000002.1447999928.00000000016D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.Configuration.ni.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.Configuration.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.ni.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER5C54.tmp.dmp.5.dr
Source: Binary string: Sage.Eb.UniSign.Windows.pdbL0 source: WER5C54.tmp.dmp.5.dr
Source: Binary string: C:\Builds\eIDSign\Ebanking\eIDSign.4.0.0\eIDSign\Current\Src\NativeServices\NSUniSignWindows\obj\Release\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe
Source: Binary string: \??\C:\Windows\exe\Sage.Eb.UniSign.Windows.pdbk source: Sage.Eb.UniSign.Windows.exe, 00000000.00000002.1447999928.00000000016D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: WER5C54.tmp.dmp.5.dr
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://s2.symcb.com0
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://sv.symcd.com0&
Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: http://www.symauth.com/rpa00
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 872
Source: Sage.Eb.UniSign.Windows.exe, 00000000.00000002.1447999928.000000000169E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Sage.Eb.UniSign.Windows.exe
Source: Sage.Eb.UniSign.Windows.exe, Ms.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: Sage.Eb.UniSign.Windows.exe, Ms.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Sage.Eb.UniSign.Windows.exe, Ms.csSecurity API names: System.IO.DirectoryInfo.GetAccessControl()
Source: Sage.Eb.UniSign.Windows.exe, Ms.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: Sage.Eb.UniSign.Windows.exe, UniSignEventSource.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Sage.Eb.UniSign.Windows.exe, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Sage.Eb.UniSign.Windows.exe, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Sage.Eb.UniSign.Windows.exe, NSUniSignService.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Sage.Eb.UniSign.Windows.exe, JsonRestDevice.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engineClassification label: clean3.winEXE@3/6@0/0
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2004
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\fa07e67b-2e27-4f17-b6d6-72e3bf8818cdJump to behavior
Source: Sage.Eb.UniSign.Windows.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Sage.Eb.UniSign.Windows.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: https[Add or Update NameSpace Reservation for uri: 1Delete SSL Certificate: QCN=SageeIDSignCA,O=UniSign,OU=SageFrance}ReCreate SSL Certificate: CN=127.0.0.1,O=UniSign,OU=SageFranceyCreate SSL Certificate: CN=127.0.0.1,O=UniSign,OU=SageFrance[Add or Update SSL Certificate for: 127.0.0.1:=Add prefix for Http Listener: 1Authentication Schemes: -Start Http Listener...json
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: firefox-addin
Source: Sage.Eb.UniSign.Windows.exeString found in binary or memory: ?yThe caller does not have the rights to perform the operationASessionLogon: New user connected9SessionLogon: Not admin role1Start setting firefox/ie)test "firefox-addin"
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeFile read: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe "C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe"
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 872
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Sage.Eb.UniSign.Windows.exeStatic PE information: certificate valid
Source: Sage.Eb.UniSign.Windows.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Sage.Eb.UniSign.Windows.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Sage.Eb.UniSign.Windows.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Sage.Eb.UniSign.Windows.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: O nPC:\Windows\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe, 00000000.00000002.1447558340.0000000001338000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.ni.pdbRSDSw source: WER5C54.tmp.dmp.5.dr
Source: Binary string: mscorlib.ni.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: \??\C:\Windows\symbols\exe\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe, 00000000.00000002.1447999928.00000000016D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe, 00000000.00000002.1447999928.00000000016D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.Configuration.ni.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.Configuration.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.ni.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.pdb source: WER5C54.tmp.dmp.5.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER5C54.tmp.dmp.5.dr
Source: Binary string: Sage.Eb.UniSign.Windows.pdbL0 source: WER5C54.tmp.dmp.5.dr
Source: Binary string: C:\Builds\eIDSign\Ebanking\eIDSign.4.0.0\eIDSign\Current\Src\NativeServices\NSUniSignWindows\obj\Release\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe
Source: Binary string: \??\C:\Windows\exe\Sage.Eb.UniSign.Windows.pdbk source: Sage.Eb.UniSign.Windows.exe, 00000000.00000002.1447999928.00000000016D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: WER5C54.tmp.dmp.5.dr
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeMemory allocated: 1610000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeMemory allocated: 33A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeMemory allocated: 53A0000 memory reserve | memory write watchJump to behavior
Source: Amcache.hve.5.drBinary or memory string: VMware
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 bb 56 ad d4 0b d4-0e 05 59 d1 5b 59 ef ed
Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.drBinary or memory string: vmci.sys
Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.drBinary or memory string: VMware20,1
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe VolumeInformationJump to behavior
Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
2
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory2
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager11
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1560045 Sample: Sage.Eb.UniSign.Windows.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 3 5 Sage.Eb.UniSign.Windows.exe 1 2->5         started        process3 7 WerFault.exe 19 16 5->7         started        9 conhost.exe 5->9         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.5.drfalse
    high
    http://www.symauth.com/cps0(Sage.Eb.UniSign.Windows.exefalse
      high
      http://www.symauth.com/rpa00Sage.Eb.UniSign.Windows.exefalse
        high
        No contacted IP infos
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1560045
        Start date and time:2024-11-21 10:45:48 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 3m 42s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:19
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:Sage.Eb.UniSign.Windows.exe
        Detection:CLEAN
        Classification:clean3.winEXE@3/6@0/0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.42.73.29, 20.42.65.92
        • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: Sage.Eb.UniSign.Windows.exe
        TimeTypeDescription
        04:46:31API Interceptor1x Sleep call for process: WerFault.exe modified
        No context
        No context
        No context
        No context
        No context
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.9240531572933794
        Encrypted:false
        SSDEEP:384:umPQRsbcJl9ABU/0WwarzuiFtY4IO8pRCX:HQRsbu9ABU/0WwarzuiFtY4IO8pRy
        MD5:A22485B94808AF5988D63889B1C914E9
        SHA1:9BF73AFD3731A4AFB212A3E2F9EE8003D4114330
        SHA-256:A4EC52DFB7F3BD1AD5D5863A799F80A5F43C635C27EA41F45AF016EC540DCB86
        SHA-512:7FAC18E57DF38F0E7B07AD0F41DA80B705F38E70C80F7CC82853C157B5E4D2C99A4E64F81880861FDC872DD8BABFFFE6B3C33AC7196DE8634B77E7878C50530C
        Malicious:false
        Reputation:low
        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.6.5.5.9.8.3.3.0.6.4.6.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.6.5.5.9.8.3.7.2.0.4.7.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.c.a.5.2.4.c.-.8.0.2.3.-.4.3.5.1.-.a.0.a.9.-.e.b.4.3.5.4.2.9.f.0.7.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.e.4.2.7.7.4.-.e.d.5.d.-.4.b.8.8.-.b.7.3.6.-.8.0.4.3.6.b.6.9.4.a.6.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.a.g.e...E.b...U.n.i.S.i.g.n...W.i.n.d.o.w.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.a.g.e...E.b...U.n.i.S.i.g.n...W.i.n.d.o.w.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.d.4.-.0.0.0.1.-.0.0.1.7.-.e.e.a.f.-.4.e.3.9.f.a.3.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.3.e.b.7.d.c.0.0.b.6.2.c.e.b.7.c.a.4.b.6.7.5.3.7.1.2.c.2.3.1.0.0.0.0.0.0.0.0.0.!.0.0.0.0.b.a.1.3.b.7.f.
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 15 streams, Thu Nov 21 09:46:23 2024, 0x1205a4 type
        Category:dropped
        Size (bytes):189290
        Entropy (8bit):3.8801371287478776
        Encrypted:false
        SSDEEP:3072:LfBkhsjlYGedA1uPscLv4W7XMiwtj02vB:LKh2xiCu0cLvuRj0
        MD5:DD5A91D08ED6032AF4F8119F7B8CB5BA
        SHA1:BAB16CC7E865305660D57F366B8ECE44D29385AB
        SHA-256:C8E3FFC4F4DA192CAC6242DAAC56BFD3EBCB59BA8479A88BE7465BC089754148
        SHA-512:B88198742D6A051D3C9CDC9BD98E329E7EE98B0FA628DA3E69B9CA3576683722EFB0F903824A0B1BDB91806DB2DE41CFC200FD366547327A1CF18679893D0518
        Malicious:false
        Reputation:low
        Preview:MDMP..a..... .......o.?g....................................$...........T....:..........`.......8...........T............"..........................................................................................................eJ......8.......GenuineIntel............T...........n.?g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):8384
        Entropy (8bit):3.698979453310227
        Encrypted:false
        SSDEEP:192:R6l7wVeJYJhd6x7bNxy6YsS2SUKvgmf7p40rprw89bnpsfONm:R6lXJEL6pNxy6YsTSUKvgmf7p40rnCfl
        MD5:A1F748E3EE3AC95CD304DCF8971DE4BA
        SHA1:1AD4A32FD61A0DC37CA014C17E2B01BD944A17FE
        SHA-256:104EE6D73ECBA3C6760398356E55805D14A5158493A409DDFBC79CE558599E30
        SHA-512:E1D28F4E9452CD674F84918754107ED8A54297093A8B9E4DD00AF53C110777AFA7689F6A3FDAEB8DDABCFDD66EC102909D9C5956AB26A344DDA540B02588D9DF
        Malicious:false
        Reputation:low
        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.0.4.<./.P.i.
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4746
        Entropy (8bit):4.524819448483058
        Encrypted:false
        SSDEEP:48:cvIwWl8zs3Jg77aI99EBLWda80aBYm8M4JOPcPHEjFa+q87PBt+U8ktPt4aPtaPU:uIjfZI7ggdlIJmoH92B78k5tntyed
        MD5:ECE4DAE772F06572C5F6FD788F9520D9
        SHA1:63A22AE901F13B14D134F92A595B7FA063A152C7
        SHA-256:470FB05ECF48536E895B78C93BD3198B93F0A991210394FA10923164E5BEACD3
        SHA-512:D1E93C3628AEE87DD89424164F8068B046BDC5611DD142C60558D302DFE2E49F2DE2C3A8628387F780174CF461EBE91B7F31D0B74E12958B0A64B59D08A9AC16
        Malicious:false
        Reputation:low
        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="597649" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:MS Windows registry file, NT/2000 or above
        Category:dropped
        Size (bytes):1835008
        Entropy (8bit):4.553726919725698
        Encrypted:false
        SSDEEP:6144:5n4MAqtcGlGl1axal8Y0z2FkwMa52IQlyu8lgeivwu89EM6BovpHd9I:2Mwq2q/18lHWaaUh
        MD5:A436884B064AEE9BB586BA79F5B0B9B2
        SHA1:C911B189D63BBF19CF3BB6F0F49EA4D5F2DEC27A
        SHA-256:965933B7461CCA95E7153936AE0C9F164C5BF0B14DA8B51C69CF21E6E88347FB
        SHA-512:53DAD1571FCEBC768EA5DE893075789C44F87BA8B2933B2117D0C0B9CA5E5BA9F2177A3A186D63B9549825C569C9D0B650981BFBC5147FD836EFE77B78F06BFE
        Malicious:false
        Reputation:low
        Preview:regfV...V....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.;.9.;..............................................................................................................................................................................................................................................................................................................................................^...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe
        File Type:ASCII text, with CRLF, LF line terminators
        Category:dropped
        Size (bytes):294
        Entropy (8bit):4.92318803324622
        Encrypted:false
        SSDEEP:6:WsTbZqbbUcfvfA4UrwL3+MDLIP12MUAvvdFJpQWoJP4wL37a/KZe:2Hfvfcr+3zDLI4M1rQ1g+37a4e
        MD5:525285019E3C5F2AB0AA750DFA50530D
        SHA1:4A2F962FEECFDF3C4D0BB7B8F63A3DFD5A9308FD
        SHA-256:EEB21D8D7CF86FB145DF89166AE896F94E551DE673257514E533A2ADFAD9663C
        SHA-512:16F71FB6BDD1A23AB27231F605F40F46233974CB70C80716A1C35EF7E831FA016FCCF40CCC7CC6A9443E90700A321E3A30C91A381B5D519732F94EA9636FC696
        Malicious:false
        Reputation:low
        Preview:.Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'Sage.Eb.UniSign.PCL, Version=4.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified... at Sage.Eb.UniSign.Windows.Program.Main(String[] args).
        File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):6.165806013376497
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
        • Win32 Executable (generic) a (10002005/4) 49.93%
        • Windows Screen Saver (13104/52) 0.07%
        • Generic Win/DOS Executable (2004/3) 0.01%
        • DOS Executable Generic (2002/1) 0.01%
        File name:Sage.Eb.UniSign.Windows.exe
        File size:186'240 bytes
        MD5:74a7aec99ca57c42ce99e3de83aef658
        SHA1:ba13b7f129e96fa9bdc1c13f8b05d107289fac37
        SHA256:e3f6aa0c441bb40ccb6b1c91ea8c9b4c4031be8584b39c6b2ae8a65035754ab1
        SHA512:7411cdb885c3066a6e6124256cf92f858bbf925c3d3e6d7d70373141a289f88c8c213ee0301b88467b33c4544990b4da37279f2cca6a119810186b2e9950c0ab
        SSDEEP:3072:Oi3cd5+DNwX9lxBOlA3bQn1xSJoSKi5lFzbRA6n6ceMb2EpYxxM/99xrDfCpudEH:OXlXRLQ1eoST5lFzbRTH2EpVfCZ
        TLSH:3E043C10B3EA4F25EAEF7B31A9B8190107797AC7E961DB5D098001DE0DA2F929703377
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U9d.........."...0.................. ........@.. ....................... .......9....`................................
        Icon Hash:00928e8e8686b000
        Entrypoint:0x42bfd2
        Entrypoint Section:.text
        Digitally signed:true
        Imagebase:0x400000
        Subsystem:windows cui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Time Stamp:0x643955DF [Fri Apr 14 13:32:15 2023 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
        Signature Valid:true
        Signature Issuer:CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
        Signature Validation Error:The operation completed successfully
        Error Number:0
        Not Before, Not After
        • 14/06/2020 20:00:00 15/06/2023 19:59:59
        Subject Chain
        • CN=SAGE SASU, OU=Sage MME-EB-BUILD, O=SAGE SASU, L=La Garenne Colombes, S=Hauts-de-Seine, C=FR
        Version:3
        Thumbprint MD5:FB207B8048D86EEAB42158BBF60FF4F3
        Thumbprint SHA-1:032B87C639A06F6DD672745D771B866E5CEBAE6E
        Thumbprint SHA-256:6CD43C7268E49160D94AEC845DE84681A588F508F2663BED1889C04FD13EEE19
        Serial:5629E6C0745165D283044BCC8F548E08
        Instruction
        jmp dword ptr [00402000h]
        arpl ax, ax
        push ds
        xor edi, ecx
        xchg eax, esp
        in eax, dx
        fucomi st(0), st(7)
        adc al, DCh
        sbb dword ptr [esi-32CF05B4h], esp
        push esp
        add byte ptr [eax], al
        add byte ptr [eax], al
        inc esi
        cmc
        pop ebx
        ret
        push cs
        aas
        inc edi
        pop edx
        or byte ptr [esi+54h], ch
        std
        salc
        fisttp qword ptr [ebx]
        fcom dword ptr [eax]
        mov dh, 9Ah
        retf 0000h
        add byte ptr [eax], al
        jecxz 00007FC53C621EDBh
        mov cx, ss
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x2bf800x4f.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e0000x624.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x2ae000x2980
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x300000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x2be480x1c.text
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000x2a0500x2a200b9a54d6cd0cffb32871450f3bfa4f88bFalse0.3731511962166172data6.068525507835121IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rsrc0x2e0000x6240x800a76ee717ec2e92d591c837ea19fc2cf0False0.33740234375data3.503614834254875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x300000xc0x200df128860d425ff4618a9c9d1893583dcFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_VERSION0x2e0900x394OpenPGP Secret Key0.4181222707423581
        RT_MANIFEST0x2e4340x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
        DLLImport
        mscoree.dll_CorExeMain
        No network behavior found

        Click to jump to process

        Click to jump to process

        Click to dive into process behavior distribution

        Click to jump to process

        Target ID:0
        Start time:04:46:22
        Start date:21/11/2024
        Path:C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe"
        Imagebase:0xf70000
        File size:186'240 bytes
        MD5 hash:74A7AEC99CA57C42CE99E3DE83AEF658
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Target ID:1
        Start time:04:46:22
        Start date:21/11/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c1080000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:5
        Start time:04:46:23
        Start date:21/11/2024
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 872
        Imagebase:0x8a0000
        File size:483'680 bytes
        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        No disassembly