Create Interactive Tour

Windows Analysis Report
template.pdf

Overview

General Information

Sample Name:	template.pdf (renamed file extension from pdf to exe)
Analysis ID:	573251
MD5:	7b478a52e723de424790f4c0b0658c11
SHA1:	39ebd7b22d816c9fa2690353a4d334e80a2ca909
SHA256:	7e1c7bf2d20218ca328153ee8a0889ca7938dc030c7139efd28845d8c0b54ccf
Infos:

Detection

Metasploit

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Metasploit Payload

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found inlined nop instructions (likely shell or obfuscated code)

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Opens a port and listens for incoming connection (possibly a backdoor)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

template.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\template.exe" MD5: 7B478A52E723DE424790F4C0B0658C11)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
template.exe	Msfpayloads_msf_10	Metasploit Payloads - file msf.exe	Florian Roth	0x6e90:$s1: 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 0x6ed2:$s2: 01 C7 38 E0 75 F6 03 7D F8 3B 7D 24 75 E4 58 8B 0x6ef2:$s3: 01 D0 89 44 24 24 5B 5B 61 59 5A 51 FF E0 5F 5F
template.exe	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.template.exe.400000.0.unpack	Msfpayloads_msf_10	Metasploit Payloads - file msf.exe	Florian Roth	0x6e90:$s1: 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 0x6ed2:$s2: 01 C7 38 E0 75 F6 03 7D F8 3B 7D 24 75 E4 58 8B 0x6ef2:$s3: 01 D0 89 44 24 24 5B 5B 61 59 5A 51 FF E0 5F 5F
1.0.template.exe.400000.0.unpack	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
1.2.template.exe.400000.0.unpack	Msfpayloads_msf_10	Metasploit Payloads - file msf.exe	Florian Roth	0x6e90:$s1: 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 0x6ed2:$s2: 01 C7 38 E0 75 F6 03 7D F8 3B 7D 24 75 E4 58 8B 0x6ef2:$s3: 01 D0 89 44 24 24 5B 5B 61 59 5A 51 FF E0 5F 5F
1.2.template.exe.400000.0.unpack	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: template.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: template.exe	Virustotal: Detection: 84%			Perma Link
Source: template.exe	ReversingLabs: Detection: 88%

Machine Learning detection for sample

Source: template.exe

Joe Sandbox ML: detected

Source: 1.2.template.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen2
Source: 1.0.template.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen2

Source: template.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\template.exe

Socket bind: port: 53

Jump to behavior

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: template.exe

Source: C:\Users\user\Desktop\template.exe

Code function: 4x nop then pop ebp

1_2_004055D0

Source: template.exe	String found in binary or memory: http://www.apache.org/
Source: template.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: template.exe	String found in binary or memory: http://www.zeustech.net/

Source: template.exe, 00000001.00000002.553228537.000000000064A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: template.exe, type: SAMPLE	Matched rule: Metasploit Payloads - file msf.exe Author: Florian Roth
Source: 1.0.template.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Metasploit Payloads - file msf.exe Author: Florian Roth
Source: 1.2.template.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Metasploit Payloads - file msf.exe Author: Florian Roth

Source: template.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: template.exe, type: SAMPLE	Matched rule: Msfpayloads_msf_10 date = 2017-02-09, hash1 = 3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082, author = Florian Roth, description = Metasploit Payloads - file msf.exe, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.template.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Msfpayloads_msf_10 date = 2017-02-09, hash1 = 3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082, author = Florian Roth, description = Metasploit Payloads - file msf.exe, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.template.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Msfpayloads_msf_10 date = 2017-02-09, hash1 = 3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082, author = Florian Roth, description = Metasploit Payloads - file msf.exe, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: template.exe, 00000001.00000000.286451083.0000000000415000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameab.exeF vs template.exe
Source: template.exe	Binary or memory string: OriginalFilenameab.exeF vs template.exe

Source: template.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: template.exe	Virustotal: Detection: 84%
Source: template.exe	ReversingLabs: Detection: 88%

Source: template.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\template.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal76.troj.winEXE@1/0@0/0

Source: template.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: template.exe

Source: C:\Users\user\Desktop\template.exe	Code function: 1_2_00407050 push esi; ret	1_2_00407053
Source: C:\Users\user\Desktop\template.exe	Code function: 1_2_00405856 push edi; ret	1_2_0040586F
Source: C:\Users\user\Desktop\template.exe	Code function: 1_2_00409860 pushad ; retn 0010h	1_2_0040989D
Source: C:\Users\user\Desktop\template.exe	Code function: 1_2_00402861 push 00403120h; retf	1_2_00402883
Source: C:\Users\user\Desktop\template.exe	Code function: 1_2_00402878 push 00403120h; retf	1_2_00402883
Source: C:\Users\user\Desktop\template.exe	Code function: 1_2_00409EA0 push es; iretd	1_2_00409FBB
Source: C:\Users\user\Desktop\template.exe	Code function: 1_2_00409F20 push es; iretd	1_2_00409FBB
Source: C:\Users\user\Desktop\template.exe	Code function: 1_2_004051C2 push eax; retf	1_2_004051C6
Source: C:\Users\user\Desktop\template.exe	Code function: 1_2_004023EB push es; ret	1_2_00402400
Source: C:\Users\user\Desktop\template.exe	Code function: 1_2_004027F4 push eax; ret	1_2_004027F5

Source: initial sample

Static PE information: section name: .text entropy: 7.01001868151

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: template.exe, 00000001.00000002.553228537.000000000064A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: template.exe, type: SAMPLE
Source: Yara match	File source: 1.0.template.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.template.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\template.exe

Code function: 1_2_0046008E WSAStartup,WSASocketA,bind,listen,accept,

1_2_0046008E

Source: C:\Users\user\Desktop\template.exe

Socket bind: port: 53

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	3 Software Packing	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	3 Obfuscated Files or Information	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Remote Access Software	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
template.exe	84%	Virustotal		Browse
template.exe	89%	ReversingLabs	Win32.Trojan.Retelesh
template.exe	100%	Avira	TR/Patched.Gen2
template.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.template.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen2		Download File
1.0.template.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen2		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.zeustech.net/	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	template.exe	false		high
http://www.apache.org/	template.exe	false		high
http://www.zeustech.net/	template.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	573251
Start date:	16.02.2022
Start time:	12:55:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	template.pdf (renamed file extension from pdf to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 26.2% (good quality ratio 12.6%) Quality average: 23.4% Quality standard deviation: 25.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.319813352449741
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	template.exe
File size:	73802
MD5:	7b478a52e723de424790f4c0b0658c11
SHA1:	39ebd7b22d816c9fa2690353a4d334e80a2ca909
SHA256:	7e1c7bf2d20218ca328153ee8a0889ca7938dc030c7139efd28845d8c0b54ccf
SHA512:	fb00e1397e35928ea77fd315d3c0c45ec2a879281ca12ce35fd063b8c869fae8bb35febc06f071a2a85794b436c340faf222b0aa5a2419b753bf7107d71c7d5c
SSDEEP:	1536:IUpGe/Dji70cAW5X0WC7qHkT11CJcjw1r1KlGMb+KR0Nc8QsJq39:lhLje6W5gOETfgcjEs4e0Nc8QsC9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L...C.}J...........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4054cb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4A7D8443 [Sat Aug 8 13:57:23 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	481f47bbb2c9c21e108d65f52b04c448

Entrypoint Preview

Instruction
inc edx
daa
aaa
xchg eax, ecx
aaa
salc
stc
inc ecx
inc eax
salc
cld
std
cld
cwde
stc
xchg eax, ecx
aas
inc ecx
wait
inc eax
dec eax
xchg eax, ebx
inc eax
wait
nop
lahf
lahf
xchg eax, ecx
inc ecx
daa
clc
daa
cdq
inc eax
salc
daa
inc ecx
dec ecx
lahf
stc
xchg eax, edx
inc ecx
dec eax
wait
stc
cmc
cld
dec ebx
daa
clc
clc
std
inc edx
xchg eax, edx
cmc
nop
stc
inc eax
daa
cmc
xchg eax, ebx
cdq
dec ecx
xchg eax, ebx
dec eax
inc ebx
inc ebx
nop
wait
inc edx
inc ecx
xchg eax, ecx
dec edx
clc
cmc
jmp 00007F10B50EACF5h
cmp eax, 270C688Bh
sal byte ptr [ecx+ecx+50h], FFFFFF9Eh
nop
add byte ptr fs:[eax], al
mov edx, dword ptr [ebp+08h]
mov edi, dword ptr [esi+14h]
lea ebp, dword ptr [edi+74FF8514h]
adc byte ptr [ebx+4F3BF227h], cl
or byte ptr [esi+46h], dh
mov eax, edi
and al, 73h
test edi, edi
jne 00007F10B50E9802h
mov esi, dword ptr [esi+0Ch]
test esi, esi
je 00007F10B50E9818h
push esi
call 00007F10B50EE602h
mov edi, dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
push eax
call dword ptr [0040C15Ch]
add esp, FFFFFFABh
jc 00007F10B50E97D2h
je 00007F10B50E986Bh
mov edx, dword ptr [eax+18508DFCh]
mov dword ptr [eax-12h], edx
mov dword ptr [eax], 25005700h
lea edx, dword ptr [esi+eax]
mov dword ptr [eax+08h], edi
mov dword ptr [eax+1Eh], edx
jmp 00007F10B4AF974Eh
mov ecx, dword ptr [edi]
mov dword ptr [ecx+4E8B0847h], edi
or byte ptr [eax+ecx*8-75h], ch
inc esi

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc76c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x7c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc1e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x1e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa966	0xb000	False	0.814586292614	data	7.01001868151	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0xfe6	0x1000	False	0.46142578125	DOS executable (COM, 0x8C-variant)	5.31839035374	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x705c	0x4000	False	0.25634765625	data	4.4078410232	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x15000	0x7c8	0x1000	False	0.197998046875	data	1.95829602517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x15060	0x768	data	English	United States

Imports

DLL	Import
MSVCRT.dll	_iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp
KERNEL32.dll	PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid
WSOCK32.dll	getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError
WS2_32.dll	WSARecv, WSASend

Version Infos

Description	Data
LegalCopyright	Copyright 2009 The Apache Software Foundation.
InternalName	ab.exe
FileVersion	2.2.14
CompanyName	Apache Software Foundation
Comments	Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License athttp://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
ProductName	Apache HTTP Server
ProductVersion	2.2.14
FileDescription	ApacheBench command line utility
OriginalFilename	ab.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• template.exe

Click to jump to process

Memory Usage

• template.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Target ID:	1
Start time:	12:56:49
Start date:	16/02/2022
Path:	C:\Users\user\Desktop\template.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\template.exe"
Imagebase:	0x400000
File size:	73802 bytes
MD5 hash:	7B478A52E723DE424790F4C0B0658C11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	17.5%
Signature Coverage:	15%
Total number of Nodes:	40
Total number of Limit Nodes:	0

Executed Functions

Function 0046008E Relevance: 8.6, APIs: 5, Instructions: 1075
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(006B8029,00000190,?,?,5F327377,00003233), ref: 004600AF
WSASocketA.WS2_32(E0DF0FEA,00000002,00000001,00000000,?,?,5F327377,00003233), ref: 004600C0
bind.WS2_32(6737DBC2,?,?,00000010,35000002,?,?,5F327377,00003233), ref: 004600D3
listen.WS2_32(FF38E9B7,?,?,?,00000010,35000002,?,?,5F327377,00003233), ref: 004600DF
accept.WS2_32(E13BEC74,?,?,?,?,00000010,35000002,?,?,5F327377,00003233), ref: 004600E7

Memory Dump Source

Source File: 00000001.00000002.553169165.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_460000_template.jbxd

Similarity

API ID: SocketStartupacceptbindlisten
String ID:
API String ID: 2467102526-0
Opcode ID: 593f94881237ca3f197cc9fb9381ebee9599fb63837a0479475510fb76dce9ba
Instruction ID: 5f50320c8390d63fd898fe873cbdfb99b4009d77504e3eed3f15e76a7fb5218c
Opcode Fuzzy Hash: 593f94881237ca3f197cc9fb9381ebee9599fb63837a0479475510fb76dce9ba
Instruction Fuzzy Hash: 3D114CB06C129D3AE63121639C4BFAB3D1CCF86B98F550065B744AA1C1E9CAD84081BE

Uniqueness

Uniqueness Score: -1.00%

Function 00406D24 Relevance: 1.3, APIs: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,0000013B,00001000,00000040), ref: 00406D4F

Memory Dump Source

Source File: 00000001.00000002.553124603.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.553119517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553145810.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553154327.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553163839.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_template.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d7245893d358433f4a450d3ead1c79ac7f0a57231bae86477dd6ce0a49a29391
Instruction ID: 584e8247d4550be00e29aae199d21f6f378147c4511b4a5bb70b69b240c24ce8
Opcode Fuzzy Hash: d7245893d358433f4a450d3ead1c79ac7f0a57231bae86477dd6ce0a49a29391
Instruction Fuzzy Hash: 73F0E93438A3089AC51451208C41BB5314E4B96700F56343BA5037B6D2CA78943261DF

Uniqueness

Uniqueness Score: -1.00%

Function 00406CE5 Relevance: 1.3, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,0000013B,00001000,00000040), ref: 00406D4F

Memory Dump Source

Source File: 00000001.00000002.553124603.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.553119517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553145810.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553154327.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553163839.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_template.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a873aae369ee458cd9b0ce45941cf3b66bca200e5782d1ff92ca9899ff540d26
Instruction ID: f3be518b7ce71daa766dc07e6b8e919162743063083b6967f693c4256261822d
Opcode Fuzzy Hash: a873aae369ee458cd9b0ce45941cf3b66bca200e5782d1ff92ca9899ff540d26
Instruction Fuzzy Hash: BEE0D1653CD39857D30156705C437E566951F17744F6A203BD18B7A1C7E5FC4601510D

Uniqueness

Uniqueness Score: -1.00%

Function 00406CD1 Relevance: 1.3, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,0000013B,00001000,00000040), ref: 00406D4F

Memory Dump Source

Source File: 00000001.00000002.553124603.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.553119517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553145810.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553154327.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553163839.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_template.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 98589d5addc67291034c61ac4b0415e4ca9bb40c6ddad1d9dd63b07573a8f646
Instruction ID: 374054f40fdc1ed778e2d56b39737827b70dd4bc062a40895275048749a79ad5
Opcode Fuzzy Hash: 98589d5addc67291034c61ac4b0415e4ca9bb40c6ddad1d9dd63b07573a8f646
Instruction Fuzzy Hash: 26D09E657CE215A2E50151245C52FB5518C4B5FB51E733437A64B7B1C7D9BC1A23304E

Uniqueness

Uniqueness Score: -1.00%

Function 00406CDC Relevance: 1.3, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,0000013B,00001000,00000040), ref: 00406D4F

Memory Dump Source

Source File: 00000001.00000002.553124603.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.553119517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553145810.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553154327.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553163839.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_template.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ba90182bb653eca8aff04cb969ba7306b2fe0abdd48cf3cd1e0bb80bfe822ce1
Instruction ID: fa635b14704d3018ab6d5506e747bf22b8d59182ea07f98a3c3efc379f4229f7
Opcode Fuzzy Hash: ba90182bb653eca8aff04cb969ba7306b2fe0abdd48cf3cd1e0bb80bfe822ce1
Instruction Fuzzy Hash: 84D05E257CE258E3E50111205C92FF5128D0F1FB00E733476A28B3A1C7D9AC1A22604E

Uniqueness

Uniqueness Score: -1.00%

Function 00406D16 Relevance: 1.3, APIs: 1, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,0000013B,00001000,00000040), ref: 00406D4F

Memory Dump Source

Source File: 00000001.00000002.553124603.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.553119517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553145810.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553154327.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553163839.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_template.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1801661d45174c04168720857cb5e05e5296c0fd4f4a26ddebff298239cdf5cb
Instruction ID: 2c49d93b144fe78f6ae223a1496384c76529cd4d0ab7d6499107e53da005edf2
Opcode Fuzzy Hash: 1801661d45174c04168720857cb5e05e5296c0fd4f4a26ddebff298239cdf5cb
Instruction Fuzzy Hash: DEC012253C9258A7E50156208C87F7A50C44B2AB40EA2342AB28BBA1C6A8E82E12104E

Uniqueness

Uniqueness Score: -1.00%

Function 00406D44 Relevance: 1.3, APIs: 1, Instructions: 14
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,0000013B,00001000,00000040), ref: 00406D4F

Memory Dump Source

Source File: 00000001.00000002.553124603.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.553119517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553145810.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553154327.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553163839.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_template.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 63b4029ab68ee12c7da69d4456af9f479a0586b81f3a042f8edfb37722aaa58d
Instruction ID: 19786778f407c61e8071ebb6ba6b0ca0db728d1b8757c4a299e73a6940fff132
Opcode Fuzzy Hash: 63b4029ab68ee12c7da69d4456af9f479a0586b81f3a042f8edfb37722aaa58d
Instruction Fuzzy Hash: B0B0926A3687116B2A00F2BD78A1A1F22DB0A6B714365342AE112E7293EE588E81419D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004055D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.553124603.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.553119517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553145810.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553154327.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.553163839.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_template.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8335fb1aad4a4c39b9d2c000792769a974b2bb3596afd11cfbf285931f669cd2
Instruction ID: 76f02fd106aead2f4b637b2797871ce2080fca86f8b6fc71234094765ec6c179
Opcode Fuzzy Hash: 8335fb1aad4a4c39b9d2c000792769a974b2bb3596afd11cfbf285931f669cd2
Instruction Fuzzy Hash: 7DD0C96550434EABAB088E14C841CBAF77DAA4B630B04B749AC34175D1D670F9408798

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report template.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: template.exePID: 5684, Parent PID: 4244

General

File Activities

File Opened

File Attributes Queried

Windows Analysis Report
template.pdf

Function 0046008E Relevance: 8.6, APIs: 5, Instructions: 1075
networkCOMMON

Function 00406D24 Relevance: 1.3, APIs: 1, Instructions: 45
memoryCOMMON

Function 00406CE5 Relevance: 1.3, APIs: 1, Instructions: 29
memoryCOMMON

Function 00406CD1 Relevance: 1.3, APIs: 1, Instructions: 26
memoryCOMMON

Function 00406CDC Relevance: 1.3, APIs: 1, Instructions: 26
memoryCOMMON

Function 00406D16 Relevance: 1.3, APIs: 1, Instructions: 19
memoryCOMMON

Function 00406D44 Relevance: 1.3, APIs: 1, Instructions: 14
memoryCOMMON