Play interactive tour

Edit tour

Analysis Report ietabhelper.exe

Overview

General Information

Sample Name:	ietabhelper.exe
Analysis ID:	335603
MD5:	bc63e7f22cd5ce2ebd6f114348073623
SHA1:	665a18811dc981c1ee5b0258823216aab40cc2f8
SHA256:	0e28906292348cbe1f6ad70aa943ed4c71615fbbccf702123639c535e26dd98b
Most interesting Screenshot:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains strange resources

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

ietabhelper.exe (PID: 5464 cmdline: 'C:\Users\user\Desktop\ietabhelper.exe' MD5: BC63E7F22CD5CE2EBD6F114348073623)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C79B10 lstrlenA,MultiByteToWideChar,FindFirstFileExW,lstrlenW,WideCharToMultiByte,FindNextFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C797B0 FindFirstFileExW,FindClose,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,DeleteFileW,RemoveDirectoryW,FindClose,

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: 0_2_00C5D840 URLDownloadToCacheFileW,

Source: ietabhelper.exe	String found in binary or memory: http://certificates.godaddy.com/repository/0v
Source: ietabhelper.exe	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: ietabhelper.exe	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: ietabhelper.exe	String found in binary or memory: http://crl.godaddy.com/gdig2s5-0.crl0S
Source: ietabhelper.exe	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: ietabhelper.exe	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: ietabhelper.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ietabhelper.exe	String found in binary or memory: http://ocsp.godaddy.com/0
Source: ietabhelper.exe	String found in binary or memory: http://ocsp.godaddy.com/02
Source: ietabhelper.exe	String found in binary or memory: http://ocsp.godaddy.com/05
Source: ietabhelper.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ietabhelper.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ietabhelper.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ietabhelper.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ietabhelper.exe	String found in binary or memory: https://certs.godaddy.com/repository/0

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: 0_2_00C5FB50 GetKeyState,GetKeyState,GetKeyState,

Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C78FD0
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C8F0C2
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C8E0D2
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C5D050
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C72190
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C6B100
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C9A20F
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C7F3B0
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C8934E
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C63350
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C9832B
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C6E490
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C994AB
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C71450
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C84610
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C8975A
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C9886F
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C88AA5
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C6BB80
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C89B7A
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C8AC85
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C98DB3
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C88F7A

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: String function: 00C8A1AC appears 41 times

Source: ietabhelper.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ietabhelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ietabhelper.exe, 00000000.00000002.193861108.0000000000CB3000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamehelper.exe@ vs ietabhelper.exe
Source: ietabhelper.exe	Binary or memory string: OriginalFilenamehelper.exe@ vs ietabhelper.exe

Source: classification engine

Classification label: clean6.winEXE@1/3@0/0

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: 0_2_00C55320 CoCreateInstance,CoCreateInstance,lstrlenW,CLSIDFromString,CLSIDFromProgID,SysStringLen,CoGetClassObject,CoCreateInstance,

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: 0_2_00C81890 GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,

Source: C:\Users\user\Desktop\ietabhelper.exe

File created: C:\Users\user\AppData\Local\IE Tab

Jump to behavior

Source: ietabhelper.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ietabhelper.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\ietabhelper.exe

File read: C:\Users\user\Desktop\ietabhelper.exe

Jump to behavior

Source: C:\Users\user\Desktop\ietabhelper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: ietabhelper.exe

Static PE information: certificate valid

Source: ietabhelper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ietabhelper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ietabhelper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ietabhelper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ietabhelper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ietabhelper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ietabhelper.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Don\Documents\src\ietabmoney\helper\Release\ietabhelper.pdb source: ietabhelper.exe

Source: ietabhelper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ietabhelper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ietabhelper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ietabhelper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ietabhelper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: 0_2_00C51070 LoadLibraryW,GetProcAddress,FreeLibrary,

Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C8A1F1 push ecx; ret
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C9D8C3 push ss; retf
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C85A46 push ecx; ret

Source: C:\Users\user\Desktop\ietabhelper.exe

File created: C:\Users\user\AppData\Local\IE Tab\9.4.7.1\ietabhelper.exe

Jump to dropped file

Source: C:\Users\user\Desktop\ietabhelper.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\ietabhelper.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\ietabhelper.exe

API coverage: 9.4 %

Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C79B10 lstrlenA,MultiByteToWideChar,FindFirstFileExW,lstrlenW,WideCharToMultiByte,FindNextFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C797B0 FindFirstFileExW,FindClose,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,DeleteFileW,RemoveDirectoryW,FindClose,

Source: C:\Users\user\Desktop\ietabhelper.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: 0_2_00C83677 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: 0_2_00C51070 LoadLibraryW,GetProcAddress,FreeLibrary,

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: 0_2_00C83296 GetProcessHeap,HeapAlloc,RtlInterlockedPopEntrySList,VirtualAlloc,RtlInterlockedPopEntrySList,VirtualFree,RtlInterlockedPushEntrySList,

Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C82348 _abort,__NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C91070 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C83677 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C83EAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: 0_2_00C85F3E __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\ietabhelper.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: 0_2_00C91652 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\ietabhelper.exe

Code function: 0_2_00C6F490 GetVersionExW,ReadFile,WaitForSingleObject,ReadFile,PostMessageW,ReadFile,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API2	Path Interception	Path Interception	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery13	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
ietabhelper.exe	0%	Virustotal	Browse
ietabhelper.exe	0%	Metadefender	Browse
ietabhelper.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\IE Tab\9.4.7.1\ietabhelper.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\IE Tab\9.4.7.1\ietabhelper.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\IE Tab\9.4.7.1\ietabhelper.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.godaddy.com/gdroot-g2.crl0F	ietabhelper.exe	false		high
http://certificates.godaddy.com/repository/0v	ietabhelper.exe	false		high
https://certs.godaddy.com/repository/0	ietabhelper.exe	false		high
http://crl.godaddy.com/gdig2s5-0.crl0S	ietabhelper.exe	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	ietabhelper.exe	false		high
http://certificates.godaddy.com/repository/gdig2.crt0	ietabhelper.exe	false		high
http://ocsp.thawte.com0	ietabhelper.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://certs.godaddy.com/repository/1301	ietabhelper.exe	false		high
http://crl.godaddy.com/gdroot.crl0F	ietabhelper.exe	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	335603
Start date:	03.01.2021
Start time:	14:27:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 55s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ietabhelper.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean6.winEXE@1/3@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 68.6% (good quality ratio 66.7%) Quality average: 75.7% Quality standard deviation: 28.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\IE Tab\9.4.7.1\ietabhelper.exe Download File
Process:	C:\Users\user\Desktop\ietabhelper.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	473640
Entropy (8bit):	6.386028286604459
Encrypted:	false
SSDEEP:	6144:3gNxZ22UPhGZsfee1ltHX94T0vL7MLBGNalMQEgUYVUd3GpCV:3gN/IPh4o7ltHt44vHMLBUOMQEgUYo
MD5:	BC63E7F22CD5CE2EBD6F114348073623
SHA1:	665A18811DC981C1EE5B0258823216AAB40CC2F8
SHA-256:	0E28906292348CBE1F6AD70AA943ED4C71615FBBCCF702123639C535E26DD98B
SHA-512:	D5C8123F88999E20B20ACCABC283538B2616A65D9EB4A15B5F2B5BA4B5219F59CC8966CAF2745AF18DE2AB08623EB2CAC54CD5E422ECC25D0F2B2BFAAB4D9CB1
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............K..K..K..fK...K..wK...K..pKx..K.s.K..K.s.K...K..K..K..yK..K..gK..K..bK..KRich..K........PE..L...,Z.W.....................N.......U............@..........................`......e.....@.................................h........0..................(........D..p...............................H<..@............................................text............................... ..`.rdata..............................@..@.data....X.......8..................@....rsrc........0......................@..@.reloc...X.......Z..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IE Tab\9.4.7.1\ietabhelper.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ietabhelper.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\IE Tab\ietab_nm_manifest.json Download File
Process:	C:\Users\user\Desktop\ietabhelper.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	367
Entropy (8bit):	5.052356865698435
Encrypted:	false
SSDEEP:	6:u9/zVsLNk/dKtA7YWD0ckDzM2sLgizLYyl5nnG4juVdCEc7U1RFtIl:gptd2A77QE27izLYynG4jNEkU1Rkl
MD5:	8DB581D6156D65040004C11972C9889F
SHA1:	378CDF28BC72B1498BCED242317D090BE62FA31E
SHA-256:	34E795C17747EA61144EF322CDBDF74C5D675DDA47FF0F09AB79CC6983E7CBD1
SHA-512:	29AEC53D857887E44FD456A36FB5FDD20AB9B61B3D31FA679C52226459D8EB06FA3359B77D413380A98D40FD97E65712BEDDBD83A31D6F76F21AC6E8C0B1460C
Malicious:	false
Reputation:	low
Preview:	{.."name": "net.ietab.ietabhelper.peruser",.."description": "IE Tab Helper",.."path": "C:\\Users\\user\\AppData\\Local\\IE Tab\\9.4.7.1\\ietabhelper.exe",.."type": "stdio",.."allowed_origins": [ "chrome-extension://bjndombghfcohmonofdcfnhjldidnmhd/", "chrome-extension://knnoopddfdgdabjanjmeodpkmlhapkkl/", "chrome-extension://hehijbfgiekmjfkfjpbkbammjbdenadd/" ].}.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.386028286604459
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ietabhelper.exe
File size:	473640
MD5:	bc63e7f22cd5ce2ebd6f114348073623
SHA1:	665a18811dc981c1ee5b0258823216aab40cc2f8
SHA256:	0e28906292348cbe1f6ad70aa943ed4c71615fbbccf702123639c535e26dd98b
SHA512:	d5c8123f88999e20b20accabc283538b2616a65d9eb4a15b5f2b5ba4b5219f59cc8966caf2745af18de2ab08623eb2cac54cd5e422ecc25d0f2b2bfaab4d9cb1
SSDEEP:	6144:3gNxZ22UPhGZsfee1ltHX94T0vL7MLBGNalMQEgUYVUd3GpCV:3gN/IPh4o7ltHt44vHMLBUOMQEgUYo
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............K...K...K..fK...K..wK...K..pKx..K.s.K...K.s.K...K...K...K..yK...K..gK...K..bK...KRich...K........PE..L...,Z.W...........

File Icon


Icon Hash:	9a8a808292808000

Static PE Info

General
Entrypoint:	0x435515
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp:	0x57065A2C [Thu Apr 7 13:01:32 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	364d297a275ff6f0532b55340f33f1af

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	3/24/2015 7:55:40 AM 4/18/2017 2:26:21 PM
Subject Chain	CN=Blackfish Software, O=Blackfish Software, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	E47609FFDE97688A9E91C25C5EE03FD1
Thumbprint SHA-1:	A3BC301D730596175D9E829924D3C8A7C1319631
Thumbprint SHA-256:	D57846316CB3280780EA12053E44D7BC0EF54C0FE240622D00AB28EDB1CA2BA5
Serial:	00AF78B0B4986BBDAF

Entrypoint Preview

Instruction
call 00007F2BB435F22Dh
jmp 00007F2BB4352F6Eh
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F2BB4353116h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F2BB4353140h
test ecx, 00000003h
jne 00007F2BB43530E1h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F2BB43530DAh
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F2BB4353124h
test ah, ah
je 00007F2BB4353116h
test eax, 00FF0000h
je 00007F2BB4353105h
test eax, FF000000h
je 00007F2BB43530F4h
jmp 00007F2BB43530BFh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0044E6C4h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F2BB43530FEh
test byte ptr [eax], 00000008h
je 00007F2BB43530F9h
mov dword ptr [ebp-0Ch], 00000000h

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b668	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xcef4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x71e00	0x1c28	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x70000	0x4400	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4e470	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x53c48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4e000	0x3f4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4cad4	0x4cc00	False	0.525381082044	data	6.58462013635	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4e000	0xeb86	0xec00	False	0.346398305085	data	4.70355148199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5d000	0x58dc	0x3800	False	0.24755859375	data	4.40837579619	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x63000	0xcef4	0xd000	False	0.146709735577	data	4.37678378488	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x70000	0x58c4	0x5a00	False	0.538671875	data	5.661331641	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
FILE	0x635fc	0xa1	ASCII text	English	United States
TYPELIB	0x636a0	0xa28	data	English	United States
RT_ICON	0x640c8	0x2e8	data	English	United States
RT_ICON	0x643b0	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x644d8	0xea8	data	English	United States
RT_ICON	0x65380	0x8a8	data	English	United States
RT_ICON	0x65c28	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x66190	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x68738	0x10a8	data	English	United States
RT_ICON	0x697e0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x69c48	0x2e8	data	English	United States
RT_ICON	0x69f30	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x6a058	0xea8	data	English	United States
RT_ICON	0x6af00	0x8a8	data	English	United States
RT_ICON	0x6b7a8	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x6bd10	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x6e2b8	0x10a8	data	English	United States
RT_ICON	0x6f360	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x6f7c8	0x4a	data	English	United States
RT_DIALOG	0x6f814	0x12c	data	English	United States
RT_STRING	0x6f940	0x38	data	English	United States
RT_ACCELERATOR	0x6f978	0x10	data	English	United States
RT_GROUP_ICON	0x6f988	0x76	data	English	United States
RT_GROUP_ICON	0x6fa00	0x76	data	English	United States
RT_VERSION	0x6fa78	0x320	data	English	United States
RT_MANIFEST	0x6fd98	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetModuleHandleW, lstrcmpiW, SizeofResource, LoadResource, FindResourceW, LoadLibraryExW, CreateThread, GetModuleHandleA, OpenProcess, CloseHandle, GetCurrentProcessId, GetStdHandle, SetStdHandle, WideCharToMultiByte, CreateEventW, lstrlenA, WriteFile, FlushFileBuffers, SetEvent, PeekNamedPipe, WaitForSingleObject, ReadFile, GetVersionExW, CreateFileW, CopyFileW, FindFirstFileExW, FindNextFileW, FindClose, DeleteFileW, RemoveDirectoryW, LockResource, GetTempFileNameW, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetLocaleInfoW, GetConsoleMode, GetConsoleCP, SetFilePointer, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, lstrcmpW, GetStringTypeA, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetStartupInfoA, GetFileType, SetHandleCount, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, InitializeCriticalSectionAndSpinCount, IsValidCodePage, GetOEMCP, GetACP, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetModuleFileNameA, HeapCreate, CompareStringW, GetStringTypeW, LCMapStringW, LCMapStringA, GetCPInfo, RtlUnwind, GetStartupInfoW, ExitProcess, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, HeapSize, HeapReAlloc, HeapDestroy, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, LoadLibraryA, HeapAlloc, GetProcessHeap, HeapFree, Sleep, InterlockedExchange, InterlockedCompareExchange, SetLastError, RaiseException, InitializeCriticalSection, DeleteCriticalSection, InterlockedIncrement, InterlockedDecrement, LeaveCriticalSection, EnterCriticalSection, MultiByteToWideChar, GetTickCount, GetModuleFileNameW, LoadLibraryW, GetFileAttributesW, GlobalFree, GetCurrentThreadId, FlushInstructionCache, GetCurrentProcess, GetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrlenW, FreeLibrary, GetProcAddress
USER32.dll	InvalidateRect, BeginPaint, GetClientRect, SetFocus, IsWindow, GetFocus, IsChild, DestroyWindow, ReleaseDC, EqualRect, SetWindowPos, GetParent, GetWindowPlacement, SetWindowLongA, SetParent, LoadStringW, LoadAcceleratorsW, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, UpdateWindow, GetDC, EndPaint, SetWindowLongW, GetWindowLongW, DefWindowProcW, CallWindowProcW, SetWindowsHookExW, UnhookWindowsHookEx, CallNextHookEx, FindWindowExW, MessageBoxW, GetForegroundWindow, KillTimer, AnimateWindow, ShowWindow, IsWindowVisible, GetKeyState, PostQuitMessage, GetAncestor, GetWindowThreadProcessId, SetTimer, DialogBoxParamW, EndDialog, LoadMenuW, RegisterWindowMessageW, GetWindowTextLengthW, GetWindowTextW, SetWindowTextW, GetWindow, GetDlgItem, GetClassNameW, GetSysColor, CharNextW, RedrawWindow, LoadCursorW, GetClassInfoExW, RegisterClassExW, CreateAcceleratorTableW, ScreenToClient, SetCapture, ReleaseCapture, FillRect, InvalidateRgn, GetDesktopWindow, DestroyAcceleratorTable, CreateWindowExW, SendMessageW, PostMessageW, MoveWindow, ClientToScreen, GetWindowRect, UnregisterClassA
GDI32.dll	GetStockObject, DeleteDC, BitBlt, DeleteObject, SelectObject, CreateCompatibleBitmap, CreateCompatibleDC, CreateSolidBrush, GetTextExtentPoint32W, CreateFontIndirectW, GetPixel, GetObjectW, GetDeviceCaps
ADVAPI32.dll	RegCloseKey, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegDeleteValueW, RegCreateKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegDeleteKeyW, RegSetValueExW, RegOpenKeyExW
SHELL32.dll	SHCreateDirectoryExW, SHGetFolderPathW, ShellExecuteExW
ole32.dll	CreateStreamOnHGlobal, CoTaskMemFree, CoTaskMemRealloc, OleInitialize, OleUninitialize, CLSIDFromString, CLSIDFromProgID, CoGetClassObject, CoCreateInstance, OleLockRunning, StringFromGUID2, CoTaskMemAlloc
OLEAUT32.dll	VarUI4FromStr, DispCallFunc, SysAllocStringLen, OleCreateFontIndirect, LoadTypeLib, LoadRegTypeLib, SysStringLen, SysAllocString, SysFreeString, VariantClear, VariantInit
dbghelp.dll	MiniDumpWriteDump
WININET.dll	InternetSetCookieExW, InternetCrackUrlW
urlmon.dll	URLDownloadToCacheFileW, CreateURLMoniker

Version Infos

Description	Data
LegalCopyright	Copyright 2014 Blackfish Software
InternalName	ietabhelper.exe
FileVersion	9, 4, 7, 1
CompanyName	Blackfish Software
ProductName	ietabhelper.exe
ProductVersion	9, 4, 7, 1
FileDescription	IE Tab Helper application
OriginalFilename	helper.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: ietabhelper.exe PID: 5464 Parent PID: 5704

General

Start time:	14:27:54
Start date:	03/01/2021
Path:	C:\Users\user\Desktop\ietabhelper.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ietabhelper.exe'
Imagebase:	0xc50000
File size:	473640 bytes
MD5 hash:	BC63E7F22CD5CE2EBD6F114348073623
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Registry Activities

Key Created

Key Value Created

Disassembly

Code Analysis

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ietabhelper.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

System Behavior

Analysis Process: ietabhelper.exe PID: 5464 Parent PID: 5704

General

File Activities

File Created

File Written

File Read

Registry Activities

Key Created

Key Value Created

Disassembly

Code Analysis