Play interactive tour

Edit tour

Windows Analysis Report dbsrv17.exe

Overview

General Information

Sample Name:	dbsrv17.exe
Analysis ID:	494109
MD5:	5c86344990a0599737ad2decb639d6ba
SHA1:	8f379c179f04c92dbfe41f937dfa7f86b4a01bfa
SHA256:	870653ebed929ba53503b54c45985bb56057c591ed74d5f7aa0f4a27654c5b2c
Infos:
Most interesting Screenshot:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

dbsrv17.exe (PID: 2152 cmdline: 'C:\Users\user\Desktop\dbsrv17.exe' MD5: 5C86344990A0599737AD2DECB639D6BA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: dbsrv17.exe

Static PE information: certificate valid

Source: dbsrv17.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:

Binary string: e:\17010_rc1\obj\nt_ms_amd64_p\dbsrv17.pdb source: dbsrv17.exe

Source: dbsrv17.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: dbsrv17.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: dbsrv17.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: dbsrv17.exe	String found in binary or memory: http://s2.symcb.com0
Source: dbsrv17.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0W
Source: dbsrv17.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: dbsrv17.exe	String found in binary or memory: http://sv.symcd.com0&
Source: dbsrv17.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: dbsrv17.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: dbsrv17.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: dbsrv17.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: dbsrv17.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: dbsrv17.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: dbsrv17.exe	String found in binary or memory: https://d.symcb.com/rpa0

Source: dbsrv17.exe

Binary or memory string: OriginalFilename vs dbsrv17.exe

Source: dbsrv17.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dbsrv17.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dbsrv17.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dbsrv17.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dbsrv17.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dbsrv17.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\dbsrv17.exe

Section loaded: dbserv17.dll

Jump to behavior

Source: C:\Users\user\Desktop\dbsrv17.exe	Code function: 0_2_00007FF619D66F18	0_2_00007FF619D66F18
Source: C:\Users\user\Desktop\dbsrv17.exe	Code function: 0_2_00007FF619D61E8C	0_2_00007FF619D61E8C
Source: C:\Users\user\Desktop\dbsrv17.exe	Code function: 0_2_00007FF619D61BA0	0_2_00007FF619D61BA0

Source: dbsrv17.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dbsrv17.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean5.winEXE@1/0@0/0

Source: dbsrv17.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: dbsrv17.exe

Static PE information: certificate valid

Source: dbsrv17.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dbsrv17.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dbsrv17.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dbsrv17.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dbsrv17.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dbsrv17.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dbsrv17.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: dbsrv17.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: e:\17010_rc1\obj\nt_ms_amd64_p\dbsrv17.pdb source: dbsrv17.exe

Source: dbsrv17.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dbsrv17.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dbsrv17.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dbsrv17.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dbsrv17.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\dbsrv17.exe

Code function: 0_2_00007FF619D64E14 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00007FF619D64E14

Source: C:\Users\user\Desktop\dbsrv17.exe

Code function: 0_2_00007FF619D61BA0 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF619D61BA0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\dbsrv17.exe

Code function: 0_2_00007FF619D66AF0 IsDebuggerPresent,

0_2_00007FF619D66AF0

Source: C:\Users\user\Desktop\dbsrv17.exe

0_2_00007FF619D64E14

Source: C:\Users\user\Desktop\dbsrv17.exe

0_2_00007FF619D64E14

Source: C:\Users\user\Desktop\dbsrv17.exe

Code function: 0_2_00007FF619D620FC GetProcessHeap,

0_2_00007FF619D620FC

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\dbsrv17.exe

Code function: 0_2_00007FF619D63008 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF619D63008

Source: C:\Users\user\Desktop\dbsrv17.exe

Code function: 0_2_00007FF619D613D8 cpuid

0_2_00007FF619D613D8

Source: C:\Users\user\Desktop\dbsrv17.exe

Code function: 0_2_00007FF619D62880 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF619D62880

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	DLL Side-Loading1	DLL Side-Loading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Application Shimming1	Application Shimming1	Rootkit	LSASS Memory	Security Software Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dbsrv17.exe	2%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawteTimestampingCA.crl0	dbsrv17.exe	false		high
http://www.symauth.com/cps0(	dbsrv17.exe	false		high
http://www.symauth.com/rpa00	dbsrv17.exe	false		high
http://ocsp.thawte.com0	dbsrv17.exe	false	URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	494109
Start date:	30.09.2021
Start time:	10:38:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dbsrv17.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.5% (good quality ratio 77.5%) Quality average: 59.2% Quality standard deviation: 39.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 10
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Execution Graph export aborted for target dbsrv17.exe, PID 2152 because there are no executed function VT rate limit hit for: /opt/package/joesandbox/database/analysis/494109/sample/dbsrv17.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	4.813766179999059
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dbsrv17.exe
File size:	138624
MD5:	5c86344990a0599737ad2decb639d6ba
SHA1:	8f379c179f04c92dbfe41f937dfa7f86b4a01bfa
SHA256:	870653ebed929ba53503b54c45985bb56057c591ed74d5f7aa0f4a27654c5b2c
SHA512:	efa0efed57f15104bb010066e0771dcdff8f9fea30fad73e7acaf853a20c13ddcb2538df1b351cadc742921b0199534155d2f46ddad8be5b693cbe7ba54e4f54
SSDEEP:	1536:EbTfTm1+dQB6tIK/R2KXQtl9MHdU8tisW1Jdbie9KkCeZ611pAM7oNr:kTa1+dLtIK52KXAMBCbjlZ6iM7oNr
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..Ke...e...e....:5.v....:4.0....:7.b.....1.f...e...7.....C.g.....5.f...B:3.d...e.m.d.....6.d...Riche..........................

File Icon


Icon Hash:	71f870b858ccc4c0

Static PE Info

General
Entrypoint:	0x14000120c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5F032D68 [Mon Jul 6 13:55:52 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	1e9d7759e50938608f0b77329b5fc030

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	3/30/2020 5:00:00 PM 6/29/2021 4:59:59 PM
Subject Chain	CN=SAP, OU=SQL Anywhere Development, O=SAP, L=Walldorf, S=Baden-WÃ¼rttemberg, C=DE
Version:	3
Thumbprint MD5:	5E7FA600E6F946B3FC710C2898C6B0D9
Thumbprint SHA-1:	568C69A48D8733590233B25504E573EAADA49C4E
Thumbprint SHA-256:	EF2E15A563A47934D7C8E65A80BFDA08833E60170724B47437730B492B8ED80B
Serial:	74E64DBB28FBD5AB5D9CEF5FBC399604

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5614A66EB0h
dec eax
add esp, 28h
jmp 00007F5614A65847h
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 30h
call 00007F5614A671F5h
movzx esi, ax
mov ecx, 00000002h
call 00007F5614A66E3Ch
mov eax, 00005A4Dh
dec eax
lea edi, dword ptr [FFFFEDB3h]
cmp word ptr [FFFFEDACh], ax
je 00007F5614A65846h
xor ebx, ebx
jmp 00007F5614A65873h
dec eax
arpl word ptr [FFFFEDDBh], ax
dec eax
add eax, edi
cmp dword ptr [eax], 00004550h
jne 00007F5614A6582Ch
mov ecx, 0000020Bh
cmp word ptr [eax+18h], cx
jne 00007F5614A65821h
xor ebx, ebx
cmp dword ptr [eax+00000084h], 0Eh
jbe 00007F5614A6584Bh
cmp dword ptr [eax+000000F8h], ebx
setne bl
mov dword ptr [esp+40h], ebx
call 00007F5614A666ADh
test eax, eax
jne 00007F5614A65864h
cmp dword ptr [00010D99h], 01h
jne 00007F5614A65847h
call 00007F5614A663B7h
mov ecx, 0000001Ch
call 00007F5614A66421h
mov ecx, 000000FFh
call 00007F5614A6600Fh
call 00007F5614A65F22h
test eax, eax
jne 00007F5614A65864h
cmp dword ptr [00010D6Eh], 01h
jne 00007F5614A65847h
call 00007F5614A6638Ch
mov ecx, 00000010h

Rich Headers

Programming Language:

[IMP] VS2012 UPD4 build 61030
[C++] VS2012 UPD4 build 61030
[RES] VS2012 build 50727
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xea20	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x109b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x14000	0x798	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x20600	0x1780	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0x530	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xe2a0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x238	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x70eb	0x7200	False	0.579941063596	zlib compressed data	6.23444541702	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x61d4	0x6200	False	0.320910395408	data	3.88364571867	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x10000	0x3a20	0x1400	False	0.1416015625	data	1.83348677239	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x14000	0x798	0x800	False	0.4755859375	data	4.21858465668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x15000	0x109b8	0x10a00	False	0.154252819549	data	3.68884600921	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26000	0x730	0x800	False	0.45263671875	data	4.24052997343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x21ab8	0x1d24	data	English	United States
RT_BITMAP	0x237e0	0x1d24	data	English	United States
RT_ICON	0x162c8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 37787, next used block 0	English	United States
RT_ICON	0x165b0	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x166d8	0xea8	data	English	United States
RT_ICON	0x17580	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16776176, next used block 10526884	English	United States
RT_ICON	0x17e28	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x18390	0x25a8	data	English	United States
RT_ICON	0x1a938	0x10a8	data	English	United States
RT_ICON	0x1b9e0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x1bec0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 37787, next used block 0	English	United States
RT_ICON	0x1c1a8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x1c2d0	0xea8	data	English	United States
RT_ICON	0x1d178	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16776176, next used block 10526884	English	United States
RT_ICON	0x1da20	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x1df88	0x25a8	data	English	United States
RT_ICON	0x20530	0x10a8	data	English	United States
RT_ICON	0x215d8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_MESSAGETABLE	0x15cf8	0x5cc	Hitachi SH big-endian COFF object file, not stripped, 0 section, symbol offset=0x1000000, 1073741824 symbols, optional header size 59395	English	United States
RT_GROUP_ICON	0x21a40	0x76	data	English	United States
RT_GROUP_ICON	0x1be48	0x76	data	English	United States
RT_VERSION	0x15500	0x7f4	data	English	United States
RT_MANIFEST	0x25508	0x4aa	XML 1.0 document text	English	United States

Imports

DLL

Import

dbserv17.dll

?DBReadLicenseFile@@YAIPEBDPEAUa_db_parms@@PEAPEAD@Z, SetParmBlock, SetLicense, WinMainGuts

KERNEL32.dll

TlsSetValue, CreateFileW, CloseHandle, WriteConsoleW, SetFilePointerEx, SetDllDirectoryA, GetCommandLineA, GetLastError, SetLastError, GetCurrentThreadId, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, GetProcAddress, MultiByteToWideChar, GetStdHandle, WriteFile, GetModuleFileNameW, GetProcessHeap, GetFileType, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, WideCharToMultiByte, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsFree, GetModuleHandleW, RtlUnwindEx, EnterCriticalSection, LeaveCriticalSection, HeapFree, Sleep, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, IsDebuggerPresent, IsProcessorFeaturePresent, LoadLibraryExW, OutputDebugStringW, LoadLibraryW, HeapAlloc, HeapReAlloc, GetStringTypeW, HeapSize, LCMapStringW, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetStdHandle

Version Infos

Description	Data
LegalCopyright	Copyright 2019 SAP SE or an SAP affiliate company. All rights reserved.
InternalName	dbsrv17
FileVersion	17.0.10.6175 (64-bit)
CompanyName	SAP SE or an SAP affiliate company
ProductName	SQL Anywhere
Full Copyright	Copyright 2019 SAP SE or an SAP affiliate company. All rights reserved.
ProductVersion	17.0.10.6175 (64-bit)
FileDescription	SQL Anywhere Network Server
OriginalFilename	dbsrv17.exe
LegalCopyright	Copyright 2019 SAP SE or an SAP affiliate company. All rights reserved.
InternalName	dbsrv17
FileVersion	17.0.10.6175 (64-bit)
CompanyName	SAP SE or an SAP affiliate company
ProductName	SQL Anywhere
Full Copyright	Copyright 2019 SAP SE or an SAP affiliate company. All rights reserved.
ProductVersion	17.0.10.6175 (64-bit)
FileDescription	SQL Anywhere Network Server
OriginalFilename	dbsrv17.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• dbsrv17.exe

Click to jump to process

Memory Usage

• dbsrv17.exe

Click to jump to process

System Behavior

Analysis Process: dbsrv17.exe PID: 2152 Parent PID: 5124

Function Logs

General

Start time:	10:39:25
Start date:	30/09/2021
Path:	C:\Users\user\Desktop\dbsrv17.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\dbsrv17.exe'
Imagebase:	0x7ff619d60000
File size:	138624 bytes
MD5 hash:	5C86344990A0599737AD2DECB639D6BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: dbsrv17.exe PID: 2152 Parent PID: 5124 dbsrv17.exeCOMMON

Executed Functions

Non-executed Functions

Function 00007FF619D66F18, Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF619D66F6E
_errno.LIBCMT ref: 00007FF619D66F75
_invalid_parameter_noinfo.LIBCMT ref: 00007FF619D66F80

Strings

U, xrefs: 00007FF619D674E2

Memory Dump Source

Source File: 00000000.00000002.370434447.00007FF619D61000.00000020.00020000.sdmp, Offset: 00007FF619D60000, based on PE: true

Associated: 00000000.00000002.370425188.00007FF619D60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370458215.00007FF619D69000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370463680.00007FF619D6A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370473748.00007FF619D70000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370483299.00007FF619D71000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.370490083.00007FF619D74000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370503533.00007FF619D85000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff619d60000_dbsrv17.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: c7972e0d1a82aa9315a76af7aa006575af61b3576887674a11a694d7686a1bb0
Instruction ID: f1f54360cc6ea72e2b0e3a83397a3f0ac79ef6fc5bc007275d2670d969cdf7fa
Opcode Fuzzy Hash: c7972e0d1a82aa9315a76af7aa006575af61b3576887674a11a694d7686a1bb0
Instruction Fuzzy Hash: 3B128232E18F8A86EB208F24D4443BA7761FB95F68F550336EA4D82694EF3DE545CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF619D63008, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF619D63013

Memory Dump Source

Source File: 00000000.00000002.370434447.00007FF619D61000.00000020.00020000.sdmp, Offset: 00007FF619D60000, based on PE: true

Associated: 00000000.00000002.370425188.00007FF619D60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370458215.00007FF619D69000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370463680.00007FF619D6A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370473748.00007FF619D70000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370483299.00007FF619D71000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.370490083.00007FF619D74000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370503533.00007FF619D85000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff619d60000_dbsrv17.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9649d22b4fe47a765866d9c6e47482d37810362d63375f8a895b47cd785e176c
Instruction ID: 7099114f9a16182438aca89a70f14ff5422685e1fc5194b6a61a3d0cad131d9f
Opcode Fuzzy Hash: 9649d22b4fe47a765866d9c6e47482d37810362d63375f8a895b47cd785e176c
Instruction Fuzzy Hash: AFC09B71F58D4DD3EB1C1FB2A45B0B52111D71CF74F185534CD16453508D2C90D5C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF619D6120C, Relevance: 24.1, APIs: 16, Instructions: 98COMMON

Download Yara Rule

APIs

__security_init_cookie.LIBCMT ref: 00007FF619D61210

Part of subcall function 00007FF619D62880: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF619D628AC
Part of subcall function 00007FF619D62880: GetCurrentThreadId.KERNEL32 ref: 00007FF619D628BA
Part of subcall function 00007FF619D62880: GetCurrentProcessId.KERNEL32 ref: 00007FF619D628C6
Part of subcall function 00007FF619D62880: QueryPerformanceCounter.KERNEL32 ref: 00007FF619D628D6

__crtGetShowWindowMode.LIBCMT ref: 00007FF619D6122F

Part of subcall function 00007FF619D62BE4: GetStartupInfoW.KERNEL32 ref: 00007FF619D62BF0

_heap_init.LIBCMT ref: 00007FF619D6128F
_FF_MSGBANNER.LIBCMT ref: 00007FF619D612A1
_NMSG_WRITE.LIBCMT ref: 00007FF619D612AB
_mtinit.LIBCMT ref: 00007FF619D612BA
_FF_MSGBANNER.LIBCMT ref: 00007FF619D612CC
_NMSG_WRITE.LIBCMT ref: 00007FF619D612D6
_RTC_Initialize.LIBCMT ref: 00007FF619D612E5
_ioinit.LIBCMT ref: 00007FF619D612EB
fast_error_exit.LIBCMT ref: 00007FF619D612F9
GetCommandLineA.KERNEL32 ref: 00007FF619D612FE
__crtGetEnvironmentStringsA.LIBCMT ref: 00007FF619D6130B
__setargv.LIBCMT ref: 00007FF619D61317
_setenvp.LIBCMT ref: 00007FF619D6132A
_cinit.LIBCMT ref: 00007FF619D61342

Memory Dump Source

Source File: 00000000.00000002.370434447.00007FF619D61000.00000020.00020000.sdmp, Offset: 00007FF619D60000, based on PE: true

Associated: 00000000.00000002.370425188.00007FF619D60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370458215.00007FF619D69000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370463680.00007FF619D6A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370473748.00007FF619D70000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370483299.00007FF619D71000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.370490083.00007FF619D74000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370503533.00007FF619D85000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff619d60000_dbsrv17.jbxd

Similarity

API ID: CurrentTime__crt$CommandCounterEnvironmentFileInfoInitializeLineModePerformanceProcessQueryShowStartupStringsSystemThreadWindow__security_init_cookie__setargv_cinit_heap_init_ioinit_mtinit_setenvpfast_error_exit
String ID:
API String ID: 2793883768-0
Opcode ID: e74c4c78411f3098b1e6f2b7f7671ab954f5d47c53fbc7fa401be77077f1027c
Instruction ID: 7106630893aff15a89204570b75ba727c6796270a049ca51cb60f83b1bd43bf0
Opcode Fuzzy Hash: e74c4c78411f3098b1e6f2b7f7671ab954f5d47c53fbc7fa401be77077f1027c
Instruction Fuzzy Hash: E8412624E0CECB82F654AFB195522B932A5BF95B6CF000739E64DC26D3DE2CA841C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF619D66E38, Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF619D66E63

Part of subcall function 00007FF619D645E4: _getptd_noexit.LIBCMT ref: 00007FF619D645E8

__doserrno.LIBCMT ref: 00007FF619D66E5B

Part of subcall function 00007FF619D64574: _getptd_noexit.LIBCMT ref: 00007FF619D64578

__lock_fhandle.LIBCMT ref: 00007FF619D66EA7
_unlock_fhandle.LIBCMT ref: 00007FF619D66EE1

Memory Dump Source

Source File: 00000000.00000002.370434447.00007FF619D61000.00000020.00020000.sdmp, Offset: 00007FF619D60000, based on PE: true

Associated: 00000000.00000002.370425188.00007FF619D60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370458215.00007FF619D69000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370463680.00007FF619D6A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370473748.00007FF619D70000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370483299.00007FF619D71000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.370490083.00007FF619D74000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370503533.00007FF619D85000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff619d60000_dbsrv17.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: 36f07df2eac46b97d270c026d903082a898c3a71b9809f4221333356449d40a7
Instruction ID: 4768d1d9506212456a0e435b10030867f386ca1da4cf641afa31027e77cb1d48
Opcode Fuzzy Hash: 36f07df2eac46b97d270c026d903082a898c3a71b9809f4221333356449d40a7
Instruction Fuzzy Hash: 6F21B032E08DCA46E605AF19D85137D7561AF91FB8F868339EA2D872D2CF7CA841C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF619D66D60, Relevance: 13.6, APIs: 9, Instructions: 63COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF619D66D79

Part of subcall function 00007FF619D645E4: _getptd_noexit.LIBCMT ref: 00007FF619D645E8

__lock_fhandle.LIBCMT ref: 00007FF619D66DC1
FlushFileBuffers.KERNEL32(00000001,00000000,00000000,00007FF619D66972,?,?,00000001,00007FF619D66A9D,?,?,?,?,?,00007FF619D65255), ref: 00007FF619D66DDC
GetLastError.KERNEL32(?,?,00000001,00007FF619D66A9D,?,?,?,?,?,00007FF619D65255), ref: 00007FF619D66DE6
__doserrno.LIBCMT ref: 00007FF619D66DF6
_errno.LIBCMT ref: 00007FF619D66DFD
_unlock_fhandle.LIBCMT ref: 00007FF619D66E0D

Memory Dump Source

Source File: 00000000.00000002.370434447.00007FF619D61000.00000020.00020000.sdmp, Offset: 00007FF619D60000, based on PE: true

Associated: 00000000.00000002.370425188.00007FF619D60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370458215.00007FF619D69000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370463680.00007FF619D6A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370473748.00007FF619D70000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370483299.00007FF619D71000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.370490083.00007FF619D74000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370503533.00007FF619D85000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff619d60000_dbsrv17.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 2927645455-0
Opcode ID: 20a34fca2b3c18aa0eb564cf9366d5c0134582ca78e6221d40e9e53e72571cde
Instruction ID: 6d0de4e1c70cf598740dba4a0734e783742e79a1ac166a9ec9acd85ff2a923b2
Opcode Fuzzy Hash: 20a34fca2b3c18aa0eb564cf9366d5c0134582ca78e6221d40e9e53e72571cde
Instruction Fuzzy Hash: 3221BB31E08ECA86E615AF69D9852BD7A51AF81F78F494339DA1DC72D2DE7CA840C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF619D67CD4, Relevance: 13.6, APIs: 9, Instructions: 57COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF619D67CF5

Part of subcall function 00007FF619D645E4: _getptd_noexit.LIBCMT ref: 00007FF619D645E8

__doserrno.LIBCMT ref: 00007FF619D67CED

Part of subcall function 00007FF619D64574: _getptd_noexit.LIBCMT ref: 00007FF619D64578

__lock_fhandle.LIBCMT ref: 00007FF619D67D39
_close_nolock.LIBCMT ref: 00007FF619D67D4C
_unlock_fhandle.LIBCMT ref: 00007FF619D67D65

Memory Dump Source

Source File: 00000000.00000002.370434447.00007FF619D61000.00000020.00020000.sdmp, Offset: 00007FF619D60000, based on PE: true

Associated: 00000000.00000002.370425188.00007FF619D60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370458215.00007FF619D69000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370463680.00007FF619D6A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370473748.00007FF619D70000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370483299.00007FF619D71000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.370490083.00007FF619D74000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370503533.00007FF619D85000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff619d60000_dbsrv17.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: 1934a1f2d0a80fb76a86c0ab2385b7785488ee0b13b35fb4a0109b641a4e89f6
Instruction ID: 5a362db111672451bfa173edd3903a865aa2c344dde524618aa86701894a9eae
Opcode Fuzzy Hash: 1934a1f2d0a80fb76a86c0ab2385b7785488ee0b13b35fb4a0109b641a4e89f6
Instruction Fuzzy Hash: 0011CD32E08FCE85F215AF24988127C7652AF91F78F1A4B35DA1D872D6EE7CA440CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF619D654D4, Relevance: 12.0, APIs: 8, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF619D65504
_NMSG_WRITE.LIBCMT ref: 00007FF619D6550E
HeapAlloc.KERNEL32(?,?,00000000,00007FF619D635B4,?,?,?,00007FF619D633E8,?,?,?,00007FF619D632E7), ref: 00007FF619D65529
_callnewh.LIBCMT ref: 00007FF619D65542
_errno.LIBCMT ref: 00007FF619D6554D
_errno.LIBCMT ref: 00007FF619D65558
_callnewh.LIBCMT ref: 00007FF619D65568
_errno.LIBCMT ref: 00007FF619D6556D

Memory Dump Source

Source File: 00000000.00000002.370434447.00007FF619D61000.00000020.00020000.sdmp, Offset: 00007FF619D60000, based on PE: true

Associated: 00000000.00000002.370425188.00007FF619D60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370458215.00007FF619D69000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370463680.00007FF619D6A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370473748.00007FF619D70000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370483299.00007FF619D71000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.370490083.00007FF619D74000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370503533.00007FF619D85000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff619d60000_dbsrv17.jbxd

Similarity

API ID: _errno$_callnewh$AllocHeap
String ID:
API String ID: 2989141601-0
Opcode ID: 725147d930a2f4750ef678cc6f5f502977de4cfcac2d68ea06779ba9711c0887
Instruction ID: 2e6a4ff377b72c8a6a8f6f684ba1ed75779e671de2ecf0b4a5e92d9f41061308
Opcode Fuzzy Hash: 725147d930a2f4750ef678cc6f5f502977de4cfcac2d68ea06779ba9711c0887
Instruction Fuzzy Hash: 42111C35E09ECA85FA54AF61A4152793292AF95FB8F484330E92DC77C2DE2CE481C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF619D6795C, Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF619D6796D

Part of subcall function 00007FF619D645E4: _getptd_noexit.LIBCMT ref: 00007FF619D645E8

__doserrno.LIBCMT ref: 00007FF619D67965

Part of subcall function 00007FF619D64574: _getptd_noexit.LIBCMT ref: 00007FF619D64578

Memory Dump Source

Source File: 00000000.00000002.370434447.00007FF619D61000.00000020.00020000.sdmp, Offset: 00007FF619D60000, based on PE: true

Associated: 00000000.00000002.370425188.00007FF619D60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370458215.00007FF619D69000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370463680.00007FF619D6A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370473748.00007FF619D70000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370483299.00007FF619D71000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.370490083.00007FF619D74000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370503533.00007FF619D85000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff619d60000_dbsrv17.jbxd

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: d37d6f186c9f1350048eddbdb2864eaab44d104fbdcd49f6afebe1c7ea5a2bb3
Instruction ID: a4f9fe9c4c90481bd8df333f294753eaeb2d0f1f8b7286c6be8fc0769f2d8515
Opcode Fuzzy Hash: d37d6f186c9f1350048eddbdb2864eaab44d104fbdcd49f6afebe1c7ea5a2bb3
Instruction Fuzzy Hash: A3016D72E1DECE85EE056F24888137872929FA2F7DF524332D52D863D2DF2CA440CA11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF619D61A40, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(?,?,000000FF,00007FF619D61A91,?,?,00000028,00007FF619D6551D,?,?,00000000,00007FF619D635B4,?,?,?,00007FF619D633E8), ref: 00007FF619D61A56
GetProcAddress.KERNEL32(?,?,000000FF,00007FF619D61A91,?,?,00000028,00007FF619D6551D,?,?,00000000,00007FF619D635B4,?,?,?,00007FF619D633E8), ref: 00007FF619D61A6C

Strings

CorExitProcess, xrefs: 00007FF619D61A65
mscoree.dll, xrefs: 00007FF619D61A4D

Memory Dump Source

Source File: 00000000.00000002.370434447.00007FF619D61000.00000020.00020000.sdmp, Offset: 00007FF619D60000, based on PE: true

Associated: 00000000.00000002.370425188.00007FF619D60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370458215.00007FF619D69000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370463680.00007FF619D6A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370473748.00007FF619D70000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370483299.00007FF619D71000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.370490083.00007FF619D74000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370503533.00007FF619D85000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff619d60000_dbsrv17.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 5499bf6d923be5a380f4796867f4ad8468debad7908783c1af9a9d88d51e20aa
Instruction ID: 04962928ed43cf2243bd9cb5c5210d16fe3b2d9b546aff700bf83d6c4a8881bf
Opcode Fuzzy Hash: 5499bf6d923be5a380f4796867f4ad8468debad7908783c1af9a9d88d51e20aa
Instruction Fuzzy Hash: 31E01A70F18E8A81EF144FA0A8901B93360AF84FA8B44523AD40F8A2A0DE2CD58EC300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF619D67B1C, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF619D67B7E
MultiByteToWideChar.KERNEL32 ref: 00007FF619D67BED
MultiByteToWideChar.KERNEL32 ref: 00007FF619D67C3B
_errno.LIBCMT ref: 00007FF619D67C45

Memory Dump Source

Source File: 00000000.00000002.370434447.00007FF619D61000.00000020.00020000.sdmp, Offset: 00007FF619D60000, based on PE: true

Associated: 00000000.00000002.370425188.00007FF619D60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370458215.00007FF619D69000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370463680.00007FF619D6A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370473748.00007FF619D70000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.370483299.00007FF619D71000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.370490083.00007FF619D74000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.370503533.00007FF619D85000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff619d60000_dbsrv17.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno
String ID:
API String ID: 2949032343-0
Opcode ID: 45995deb2421168c2a0950f4efa0dcac27d06667df8956d6a715e2abb5758916
Instruction ID: 8b7d0e38ae8aa6585e11f65a54cfeb774e8e3e3d090947e962da5aa490316029
Opcode Fuzzy Hash: 45995deb2421168c2a0950f4efa0dcac27d06667df8956d6a715e2abb5758916
Instruction Fuzzy Hash: 5C41A372E08FCA86E7608F15958067977A1EB94FA8F154231EA4D97B95EE3CD441C700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report dbsrv17.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: dbsrv17.exe PID: 2152 Parent PID: 5124

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened