Edit tour

Windows Analysis Report
SIHClient.exe

Overview

General Information

Sample Name:	SIHClient.exe
Analysis ID:	601286
MD5:	8aee6ed82e9c28de53abf8c95767d49a
SHA1:	8df79adeeefe41c118fc518fc33719a953207d77
SHA256:	d970ddc3faf1d1d4bdd194210aaa952e4ee4b33fa242c6569e5e415122e8b430
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Detected potential crypto function

Found potential string decryption / allocating functions

Uses Microsoft's Enhanced Cryptographic Provider

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

System is w10x64

SIHClient.exe (PID: 5084 cmdline: "C:\Users\user\Desktop\SIHClient.exe" -install MD5: 8AEE6ED82E9C28DE53ABF8C95767D49A)

SIHClient.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\SIHClient.exe" /install MD5: 8AEE6ED82E9C28DE53ABF8C95767D49A)

SIHClient.exe (PID: 1100 cmdline: "C:\Users\user\Desktop\SIHClient.exe" /load MD5: 8AEE6ED82E9C28DE53ABF8C95767D49A)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619586C6C GetLastError,ReadFile,CryptHashData,CryptHashData,GetLastError,GetLastError,GetLastError,CloseHandle,
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619586EAC CryptDestroyHash,CryptDestroyHash,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,CryptDestroyHash,CryptCreateHash,CryptReleaseContext,CryptAcquireContextW,CryptDestroyHash,CryptCreateHash,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,GetLastError,GetLastError,
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619584634 CryptHashPublicKeyInfo,GetLastError,GetLastError,memcmp,CompareStringA,CertGetEnhancedKeyUsage,CertGetEnhancedKeyUsage,CompareStringA,
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF6195877A4 CryptReleaseContext,
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF6195877D4 CryptDestroyHash,

Source: SIHClient.exe

Static PE information: certificate valid

Source: SIHClient.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SIHClient.pdbGCTL source: SIHClient.exe
Source:	Binary string: SIHClient.pdb source: SIHClient.exe

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF61955E830 FindFirstFileW,GetLastError,

Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF6195532A0
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61955EA38
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619587254
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619585198
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619567A18
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61957D220
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619554A34
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619584210
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF6195824A0
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61958348C
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61956A46C
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619553C6C
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619588528
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619559CD8
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF6195854C0
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61957F41C
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61958042C
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61956FBDC
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF6195693F0
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619581BBC
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619586EAC
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619569E78
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61956BE8C
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619554734
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61957DED8
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619585E1C
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619583E24
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619584634
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619570844
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61957F850
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF6195540F8
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61955D8F8
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61957B0DC
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF6195860D8
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF6195760C0
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619586778
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF61957D794
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF6195857C8
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619552FD4

Source: C:\Users\user\Desktop\SIHClient.exe	Code function: String function: 00007FF619558438 appears 31 times
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: String function: 00007FF619561D18 appears 42 times

Source: C:\Users\user\Desktop\SIHClient.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SIHClient.exe "C:\Users\user\Desktop\SIHClient.exe" -install
Source: unknown	Process created: C:\Users\user\Desktop\SIHClient.exe "C:\Users\user\Desktop\SIHClient.exe" /install
Source: unknown	Process created: C:\Users\user\Desktop\SIHClient.exe "C:\Users\user\Desktop\SIHClient.exe" /load

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF61955A888 FindResourceW,LoadResource,GetLastError,

Source: SIHClient.exe	String found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0.dll
Source: SIHClient.exe	String found in binary or memory: DnsRemoveNrptRuleUEtwTraceMessageVaapi-ms-win-core-registry-l1-1-0.dllapi-ms-win-core-processenvironment-l1-1-0.dllapi-ms-win-core-sysinfo-l1-2-0.dllOLEAUT32.dllapi-ms-win-stateseparation-helpers-l1-1-0.dllapi-ms-win-core-timezone-l1-1-0.dllapi-ms-win-security-base-l1-1-0.dllapi-ms-win-security-sddl-l1-1-0.dllapi-ms-win-core-heap-l2-1-0.dllapi-ms-win-core-file-l1-1-0.dllapi-ms-win-core-version-l1-1-0.dllapi-ms-win-core-libraryloader-l1-2-1.dllapi-ms-win-core-kernel32-legacy-l1-1-0.dllapi-ms-win-core-synch-l1-1-0.dllapi-ms-win-core-localization-l1-2-0.dllapi-ms-win-core-handle-l1-1-0.dllapi-ms-win-core-file-l2-1-0.dllapi-ms-win-core-shlwapi-legacy-l1-1-0.dllapi-ms-win-shell-shdirectory-l1-1-0.dllapi-ms-win-eventing-controller-l1-1-0.dllapi-ms-win-core-file-l1-2-1.dllapi-ms-win-eventing-consumer-l1-1-0.dllapi-ms-win-core-shlwapi-obsolete-l1-1-0.dllapi-ms-win-core-namespace-l1-1-0.dllWINHTTP.dllWS2_32.dllDNSAPI.dlll

Source: classification engine

Classification label: clean5.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF619588528 CoCreateInstance,#6,CoTaskMemFree,#2,#6,#6,#8,#2,#9,#6,#6,#8,#6,#2,#6,#2,#9,#6,#6,#6,#6,#6,#6,#6,

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF6195622BC GetDiskFreeSpaceW,GetLastError,

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: SIHClient.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SIHClient.exe

Static PE information: certificate valid

Source: SIHClient.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SIHClient.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SIHClient.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SIHClient.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SIHClient.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SIHClient.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SIHClient.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: SIHClient.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: SIHClient.pdbGCTL source: SIHClient.exe
Source:	Binary string: SIHClient.pdb source: SIHClient.exe

Source: SIHClient.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SIHClient.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SIHClient.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SIHClient.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SIHClient.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: SIHClient.exe	Static PE information: section name: .wpp_sf
Source: SIHClient.exe	Static PE information: section name: .didat

Source: SIHClient.exe

Static PE information: 0x6FF0BBED [Fri Jul 6 15:55:25 2029 UTC]

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF61958042C GetSystemTimeAsFileTime followed by cmp: cmp r13d, 02h and CTI: jne 00007FF619580D31h

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF6195760C0 rdtsc

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF61955E830 FindFirstFileW,GetLastError,

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF61955C178 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF61955AA74 GetProcessHeap,HeapAlloc,HeapReAlloc,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF6195760C0 rdtsc

Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619589720 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619589E30 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\SIHClient.exe	Code function: 1_2_00007FF619589FE8 SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF619568F68 IsValidSid,GetLengthSid,InitializeAcl,AddAccessAllowedAceEx,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,LocalFree,_CxxThrowException,

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF61955F6F4 AllocateAndInitializeSid,GetLastError,FreeSid,

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: _o_wcstoul,memset,GetLocaleInfoW,

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF619581798 memset,GetVersionExW,GetLastError,memset,

Source: C:\Users\user\Desktop\SIHClient.exe

Code function: 1_2_00007FF619562204 GetLocalTime,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SIHClient.exe	0%	Virustotal		Browse
SIHClient.exe	0%	ReversingLabs

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	601286
Start date and time:	2022-04-01 07:44:50 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SIHClient.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@3/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.9% (good quality ratio 55.2%) Quality average: 34.1% Quality standard deviation: 36%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target SIHClient.exe, PID 5084 because there are no executed function
Not all processes where analyzed, report is missing behavior information

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.291367203090324
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SIHClient.exe
File size:	363728
MD5:	8aee6ed82e9c28de53abf8c95767d49a
SHA1:	8df79adeeefe41c118fc518fc33719a953207d77
SHA256:	d970ddc3faf1d1d4bdd194210aaa952e4ee4b33fa242c6569e5e415122e8b430
SHA512:	55abdc4b0908413cd6aeeea6fef677e0b6c9f53868b992bb9d555ac997ff10ae3319a6fe769b6a514d6ccbdfeee0b287dc42cc7ae946aebe20b77bbd2b58fb18
SSDEEP:	6144:bEz/gXy/yq1bPid3Qk6Sa+0ej9bv9gOlS4OeAWjDpMSEXK+00teFkTMjFr:bEDKy0CtlG1veOUZQ2a+58WTYr
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:...~.y.~.y.~.y.w.....y.j.}.l.y.j.z.}.y.~.x...y.j.x.}.y.j.q...y.j.\|.[.y.j.....y.j.....y.j.{...y.Rich~.y........................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x1400395d0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x6FF0BBED [Fri Jul 6 15:55:25 2029 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	8a9daf162bb80653251f03ba60c68346

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	4/29/2021 12:15:49 PM 4/28/2022 12:15:49 PM
Subject Chain	CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	02268E6FDDE7F2D06838DFDB7B75889B
Thumbprint SHA-1:	7B2177E03D07812A5A5842565A647DB565F77BB8
Thumbprint SHA-256:	9BBDE7210C366F12F75022F81F39BFB13547B2A32BEB7B0E6959DB964AD2E84E
Serial:	33000002F49E469C54137B85E00000000002F4

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FADE8AB470Ch
dec eax
add esp, 28h
jmp 00007FADE8AB3E73h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [0001C439h]
jne 00007FADE8AB4025h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FADE8AB4015h
ret
dec eax
ror ecx, 10h
jmp 00007FADE8AB4184h
int3
int3
int3
int3
int3
int3
int3
jmp 00007FADE8AB4ABCh
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 38h
dec eax
mov dword ptr [esp+20h], FFFFFFFEh
call 00007FADE8AB40ABh
nop
jmp 00007FADE8AB4014h
xor eax, eax
dec eax
add esp, 38h
ret
int3
int3
int3
int3
int3
int3
int3
int3
dec esp
mov dword ptr [esp+18h], eax
dec esp
mov dword ptr [esp+20h], ecx
push ebx
push ebp
push esi
push edi
dec eax
sub esp, 38h
dec ecx
mov esi, eax
dec eax
lea ebp, dword ptr [esp+78h]
dec eax
mov ebx, edx
dec eax
mov edi, ecx
call 00007FADE8AB3C64h
dec eax
mov dword ptr [esp+28h], ebp
dec esp
mov ecx, esi
dec eax
and dword ptr [esp+20h], 00000000h
dec esp
mov eax, ebx
dec eax
mov edx, edi
dec eax
mov ecx, dword ptr [eax]
call 00007FADE8AB4E12h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x51340	0x474	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5b000	0x500	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x57000	0x231c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x55a00	0x32d0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5c000	0x298	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4a930	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3f8b0	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3f9c8	0xb00	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x510a8	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3c379	0x3c400	False	0.501604642116	data	6.3091707051	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.wpp_sf	0x3e000	0x86	0x200	False	0.255859375	data	1.95295120882	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3f000	0x151ae	0x15200	False	0.357572115385	data	4.85475408256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x55000	0x1618	0xe00	False	0.313616071429	data	3.71460427153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x57000	0x231c	0x2400	False	0.518988715278	data	5.50748530651	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x5a000	0x78	0x200	False	0.1015625	data	0.791454022548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x5b000	0x500	0x600	False	0.384114583333	data	2.91484619843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5c000	0x298	0x400	False	0.458984375	data	4.06111320428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MUI	0x5b438	0xc8	data	English	United States
RT_VERSION	0x5b0b0	0x388	data	English	United States

Imports

DLL	Import
msvcp_win.dll	?_Xinvalid_argument@std@@YAXPEBD@Z, ?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z, ?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ, ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?_Xbad_function_call@std@@YAXXZ, ?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z, ?id@?$codecvt@GDU_Mbstatet@@@std@@2V0locale@2@A, ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z, ??1?$codecvt@GDU_Mbstatet@@@std@@MEAA@XZ, ??0?$codecvt@GDU_Mbstatet@@@std@@QEAA@_K@Z, ?_Incref@facet@locale@std@@UEAAXXZ, ?out@?$codecvt@GDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBG1AEAPEBGPEAD3AEAPEAD@Z, ??Bid@locale@std@@QEAA_KXZ, ?_Xlength_error@std@@YAXPEBD@Z
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, _initterm_e, _initterm, _register_thread_local_exe_atexit_callback
api-ms-win-crt-private-l1-1-0.dll	_o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_errno, _o__set_fmode, _o__set_new_mode, memmove, _o__wsplitpath_s, _o__wtoi, _o__wtoi64, _o__wtol, _o_exit, _o_free, _o_iswalnum, _o_iswalpha, _o_malloc, _o_qsort, _o_rand, _o_srand, _o_strncpy_s, _o_strtol, _o_terminate, _o_towlower, _o_wcscpy_s, _o_wcstoul, __C_specific_handler, __CxxFrameHandler3, _o__get_initial_wide_environment, _CxxThrowException, wcsrchr, _o__exit, _o__invalid_parameter_noinfo_noreturn, _o__errno, _o__invalid_parameter_noinfo, _o__initialize_wide_environment, _o__initialize_onexit_table, _o__crt_atexit, _o__configure_wide_argv, _o__configthreadlocale, _o__cexit, _o__callnewh, _o___stdio_common_vswprintf, _o___stdio_common_vsprintf_s, _o___stdio_common_vsnprintf_s, _o___std_exception_destroy, _o___std_exception_copy, _o___p__commode, _o___p___wargv, _o___p___argc, strchr, __std_terminate, __CxxFrameHandler4, memcmp, wcsstr, memcpy
api-ms-win-crt-string-l1-1-0.dll	memset
RPCRT4.dll	RpcStringFreeA, UuidCreate, UuidToStringA, UuidFromStringW
api-ms-win-core-com-l1-1-0.dll	StringFromGUID2, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoCreateGuid, CoInitializeEx, IIDFromString, CoTaskMemFree
ntdll.dll	RtlGetDeviceFamilyInfoEnum, EtwTraceMessageVa, RtlIsStateSeparationEnabled
api-ms-win-core-processthreads-l1-1-3.dll	GetProcessInformation
api-ms-win-core-processthreads-l1-1-0.dll	GetCurrentThreadId, TerminateProcess, GetCurrentProcess, GetCurrentProcessId
api-ms-win-core-synch-l1-2-0.dll	Sleep
api-ms-win-eventing-provider-l1-1-0.dll	EventRegister, EventUnregister, EventSetInformation, EventWriteTransfer
api-ms-win-core-debug-l1-1-0.dll	DebugBreak, IsDebuggerPresent, OutputDebugStringW
api-ms-win-core-errorhandling-l1-1-0.dll	SetUnhandledExceptionFilter, GetLastError, SetLastError, UnhandledExceptionFilter
api-ms-win-core-string-l1-1-0.dll	WideCharToMultiByte, MultiByteToWideChar, CompareStringW
api-ms-win-core-rtlsupport-l1-1-0.dll	RtlVirtualUnwind, RtlCaptureContext, RtlLookupFunctionEntry
api-ms-win-core-processthreads-l1-1-1.dll	IsProcessorFeaturePresent
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll	GetLocalTime, GetSystemDirectoryW, GetSystemTimeAsFileTime, GetSystemTime, GetTickCount64, GetSystemWindowsDirectoryW, GetVersionExW
api-ms-win-core-interlocked-l1-1-0.dll	InitializeSListHead
api-ms-win-core-libraryloader-l1-2-0.dll	GetModuleHandleW, FreeLibrary, GetModuleHandleExW, GetProcAddress, GetModuleFileNameA, LoadResource
api-ms-win-core-heap-l1-1-0.dll	HeapFree, HeapAlloc, GetProcessHeap, HeapReAlloc
api-ms-win-core-memory-l1-1-0.dll	UnmapViewOfFile, CreateFileMappingW, MapViewOfFileEx, MapViewOfFile
api-ms-win-core-registry-l1-1-0.dll	RegDeleteValueW, RegQueryValueExW, RegEnumValueW, RegQueryInfoKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey, RegOpenKeyExW
api-ms-win-core-processenvironment-l1-1-0.dll	ExpandEnvironmentStringsW
api-ms-win-core-sysinfo-l1-2-0.dll	GetNativeSystemInfo, GetProductInfo
OLEAUT32.dll	SysStringLen, VariantInit, SysFreeString, SysAllocStringLen, SysAllocString, VariantClear
api-ms-win-stateseparation-helpers-l1-1-0.dll	GetPersistedRegistryLocationW
api-ms-win-core-timezone-l1-1-0.dll	FileTimeToSystemTime, SystemTimeToFileTime
api-ms-win-security-base-l1-1-0.dll	CopySid, SetSecurityDescriptorDacl, CheckTokenMembership, DuplicateTokenEx, FreeSid, AllocateAndInitializeSid, RevertToSelf, InitializeSecurityDescriptor, ImpersonateLoggedOnUser, CreateWellKnownSid, IsValidSid, GetTokenInformation, InitializeAcl, GetLengthSid, AddAccessAllowedAceEx
api-ms-win-security-sddl-l1-1-0.dll	ConvertSidToStringSidW, ConvertStringSidToSidW
api-ms-win-core-heap-l2-1-0.dll	LocalAlloc, LocalFree
api-ms-win-core-file-l1-1-0.dll	GetFileTime, CreateDirectoryW, FindNextFileW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetFileAttributesW, DeleteFileW, FindClose, GetDriveTypeW, GetFileType, SetFileTime, GetFinalPathNameByHandleW, GetFileSize, GetFileInformationByHandle, SetFileAttributesW, LocalFileTimeToFileTime, GetVolumePathNameW, ReadFile, SetFilePointer, SetFileInformationByHandle, WriteFile, CompareFileTime, GetFileSizeEx, CreateFileW, GetVolumeInformationW, FindFirstFileW, GetFileAttributesExW, GetTempFileNameW
api-ms-win-core-version-l1-1-0.dll	GetFileVersionInfoExW, GetFileVersionInfoSizeExW, VerQueryValueW
api-ms-win-core-libraryloader-l1-2-1.dll	LoadLibraryW, FindResourceW
api-ms-win-core-kernel32-legacy-l1-1-0.dll	DosDateTimeToFileTime
api-ms-win-core-synch-l1-1-0.dll	WaitForSingleObjectEx, CreateMutexW, ReleaseMutex, CreateSemaphoreExW, LeaveCriticalSection, CreateMutexExW, WaitForSingleObject, EnterCriticalSection, ReleaseSemaphore, DeleteCriticalSection, OpenMutexW, InitializeCriticalSection, OpenSemaphoreW
api-ms-win-core-localization-l1-2-0.dll	GetLocaleInfoW, FormatMessageW
api-ms-win-core-handle-l1-1-0.dll	CloseHandle
api-ms-win-core-file-l2-1-0.dll	MoveFileExW
api-ms-win-core-shlwapi-legacy-l1-1-0.dll	PathIsUNCW, PathStripToRootW, PathIsRelativeW, PathIsRootW
api-ms-win-shell-shdirectory-l1-1-0.dll
api-ms-win-eventing-controller-l1-1-0.dll	ControlTraceW, StartTraceW, EnableTraceEx2
api-ms-win-core-file-l1-2-1.dll	GetCompressedFileSizeW
api-ms-win-eventing-consumer-l1-1-0.dll	CloseTrace
api-ms-win-core-shlwapi-obsolete-l1-1-0.dll	StrChrW, StrRChrW
api-ms-win-core-namespace-l1-1-0.dll	CreateBoundaryDescriptorW, OpenPrivateNamespaceW, CreatePrivateNamespaceW, AddSIDToBoundaryDescriptor, DeleteBoundaryDescriptor, ClosePrivateNamespace
WINHTTP.dll	WinHttpConnect, WinHttpReadData, WinHttpAddRequestHeaders, WinHttpQueryAuthSchemes, WinHttpOpenRequest, WinHttpOpen, WinHttpSetOption, WinHttpQueryOption, WinHttpReceiveResponse, WinHttpSetTimeouts, WinHttpQueryHeaders, WinHttpCrackUrl, WinHttpCloseHandle, WinHttpSetStatusCallback, WinHttpSendRequest
WS2_32.dll	inet_addr, getnameinfo
DNSAPI.dll	DnsSetNrptRules, DnsRemoveNrptRule, DnsFreeNrptRuleNamesList, DnsGetNrptRuleNamesList, DnsQuery_W, DnsFree, DnsFreeNrptRule
api-ms-win-core-apiquery-l1-1-0.dll	ApiSetQueryApiSetPresence
Cabinet.dll
api-ms-win-core-localization-obsolete-l1-2-0.dll	CompareStringA, EnumUILanguagesW
CRYPT32.dll	CertGetCertificateChain, CertFreeCertificateChain, CryptHashPublicKeyInfo, CertFindCertificateInStore, CertOpenStore, CertVerifyCertificateChainPolicy, CertCloseStore, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertControlStore, CertFreeCertificateContext
api-ms-win-security-cryptoapi-l1-1-0.dll	CryptAcquireContextW, CryptDestroyHash, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll	DelayLoadFailureHook

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	SIH Client
FileVersion	10.0.19041.1503 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.19041.1503
FileDescription	SIH Client
OriginalFilename	sihclient.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• SIHClient.exe
• SIHClient.exe
• SIHClient.exe

Click to jump to process

Target ID:	1
Start time:	09:45:57
Start date:	01/04/2022
Path:	C:\Users\user\Desktop\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SIHClient.exe" -install
Imagebase:	0x7ff619550000
File size:	363728 bytes
MD5 hash:	8AEE6ED82E9C28DE53ABF8C95767D49A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: SIHClient.exePID: 6292, Parent PID: 3880

General

Target ID:	4
Start time:	09:46:00
Start date:	01/04/2022
Path:	C:\Users\user\Desktop\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SIHClient.exe" /install
Imagebase:	0x7ff619550000
File size:	363728 bytes
MD5 hash:	8AEE6ED82E9C28DE53ABF8C95767D49A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: SIHClient.exePID: 1100, Parent PID: 3880

General

Target ID:	6
Start time:	09:46:03
Start date:	01/04/2022
Path:	C:\Users\user\Desktop\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SIHClient.exe" /load
Imagebase:	0x7ff619550000
File size:	363728 bytes
MD5 hash:	8AEE6ED82E9C28DE53ABF8C95767D49A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SIHClient.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: SIHClient.exePID: 5084, Parent PID: 3880

General

Analysis Process: SIHClient.exePID: 6292, Parent PID: 3880

General

Analysis Process: SIHClient.exePID: 1100, Parent PID: 3880

General

Disassembly

Windows Analysis Report
SIHClient.exe