Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report tasksche.exe

Overview

General Information

Sample Name:tasksche.exe
Analysis ID:344
MD5:ed22ce8d03352290d9ae3c16f226775f
SHA1:7d3cbf9ce6f11f583d6fab85652be8deed186d7f
SHA256:0803d5abaa188c990f4f9731e292d405a3b83835847235523de4d1597a548746
Infos:

Most interesting Screenshot:

Errors
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Uses 32bit PE files
PE file does not import any functions
Yara signature match

Classification

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
tasksche.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
  • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
  • 0xf4d8:$x3: tasksche.exe
  • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
  • 0xf52c:$x5: WNcry@2ol7
  • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
  • 0xf42c:$s3: cmd.exe /c "%s"
  • 0x41980:$s4: msg/m_portuguese.wnry
tasksche.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
  • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E ...
  • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 ...

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: tasksche.exeJoe Sandbox ML: detected
Source: tasksche.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: tasksche.exe, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: tasksche.exe, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: tasksche.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: tasksche.exeStatic PE information: No import functions for PE file found
Source: tasksche.exe, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: tasksche.exe, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: tasksche.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tasksche.exeStatic PE information: Section: .rdata ZLIB complexity 1.00076219512
Source: tasksche.exeStatic PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exeStatic PE information: Section: .rsrc ZLIB complexity 1.00074084052
Source: tasksche.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal52.winEXE@0/0@0/0
Source: tasksche.exeBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: tasksche.exeStatic file information: File size 2061938 > 1048576
Source: tasksche.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: initial sampleStatic PE information: section name: .text entropy: 7.6297562238

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionSoftware Packing3OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
tasksche.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:344
Start date:25.08.2021
Start time:16:16:46
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 38s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:tasksche.exe
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.winEXE@0/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Errors:
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Simulations

Behavior and APIs

No simulations

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):4.48308667683592
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:tasksche.exe
File size:2061938
MD5:ed22ce8d03352290d9ae3c16f226775f
SHA1:7d3cbf9ce6f11f583d6fab85652be8deed186d7f
SHA256:0803d5abaa188c990f4f9731e292d405a3b83835847235523de4d1597a548746
SHA512:53d1d819c25ecc91e239f47b099a88f621b67f1b51cbc74f9e825d64a6cd1e6851c821dead2b06bc68f5c50e58eaf608330ddc61f8c68a320ef95539cd3b0f05
SSDEEP:12288:ntgQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXFGeXE3Tb:tgQhfdmMSirYbcMNgef0QeQjG/
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$..G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U...........

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x41da1b
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:0x55FF0C81 [Sun Sep 20 19:44:01 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:

Entrypoint Preview

Instruction
mov cl, 39h
retf
mov eax, dword ptr [4FAA62D0h]
xchg dword ptr [esi+16h], ebx
xchg eax, ebx
mov dh, 09h
out dx, eax
bound eax, dword ptr [esi+05F7E111h]
sub bh, byte ptr [ecx]
mov dword ptr [eax+6AED3E33h], ecx
push E924D70Ch
pop es
out 55h, eax
add dword ptr [ebp+01h], ecx
inc ebx
jle 00007F1964B06C09h
mov ebp, 24DB0554h
movsb
sbb dword ptr [ebp-11h], ecx
add esp, dword ptr [ebp-7Eh]
cmp dh, byte ptr [edx]
sar dword ptr [esi], cl
xor dword ptr [eax-42h], edx
pop ebx
das
inc ebp
pop ds
fcomp dword ptr [ebp+31h]
cmp ebx, esi
pop eax
and byte ptr [ecx+4B61C174h], cl
call 00007F19736042ACh
adc al, B2h
pop ecx
mov ebx, 0841DF85h
outsd
push cs
mov esp, dword ptr [edx+75h]
dec ebx
inc ebp
jbe 00007F1964B06C29h
sal bh, cl
das
xor eax, 3683A506h
push ds
jmp 00007F192CED7124h
jl 00007F1964B06BC1h
insb
mov dword ptr [edi-4AB7272Ah], eax
outsb
sbb dl, byte ptr [edi]
jl 00007F1964B06BB9h
loope 00007F1964B06BF5h
pop edi
popfd
inc byte ptr [ebp-3B62F8F7h]
inc ecx
mov dl, EDh
cli
popad
fstp dword ptr [esi+60h]
jmp far B90Ch : A23E4F60h
bound ebx, dword ptr [ecx]
push ebp
imul ebx, edx, 3F70E76Ah
push esi
stosb
add al, A3h
test eax, 03503E39h
adc eax, ebp
imul ebx, ebx, 0906FD79h
lahf
sub al, 4Dh
inc esi
xor ebp, dword ptr [edx+3Bh]
xor al, byte ptr [eax-7Dh]
outsd
mov dword ptr [ebx+ebp*2+38A17FB0h], ecx

Rich Headers

Programming Language:
  • [ASM] VS2008 SP1 build 30729
  • [ C ] VS2008 SP1 build 30729
  • [LNK] VS2008 SP1 build 30729
  • [C++] VS2008 SP1 build 30729
  • [EXP] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x2f0700x33.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x2dbf40xdc.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x3928.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x2a4000x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2cc800x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2a0000x394.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x289e40x28a00False0.826989182692data7.6297562238IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x2a0000x50a30x5200False1.00076219512data7.99151554424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x300000x214280x1600False1.001953125data7.96571647895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x520000x39280x3a00False1.00074084052data7.98770497221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Disassembly

Reset < >