Edit tour

Windows Analysis Report
download.exe

Overview

General Information

Sample Name:	download.exe
Analysis ID:	606090
MD5:	a2c883b0e7a1b002b088f52f647f2e2f
SHA1:	0ed075b4c2163cac0463f4f6b7961d0850e1fc05
SHA256:	27d4749a0db6fffdcc3744cb2ed29e8ffa8cc00140ee61faa3a4b0446d512076
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

download.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\download.exe" -install MD5: A2C883B0E7A1B002B088F52F647F2E2F)

download.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\download.exe" /install MD5: A2C883B0E7A1B002B088F52F647F2E2F)

download.exe (PID: 6724 cmdline: "C:\Users\user\Desktop\download.exe" /load MD5: A2C883B0E7A1B002B088F52F647F2E2F)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: download.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: download.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0040AEF4 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_0040AEF4 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_0040AEF4 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,

Source: download.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: download.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU

Source: download.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: download.exe, 00000000.00000003.251830348.0000000002258000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs download.exe
Source: download.exe, 00000000.00000000.220189376.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs download.exe
Source: download.exe, 00000001.00000000.225614313.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs download.exe
Source: download.exe, 00000001.00000003.246708963.0000000002248000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs download.exe
Source: download.exe, 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs download.exe
Source: download.exe, 00000002.00000003.242637775.0000000002228000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs download.exe
Source: download.exe	Binary or memory string: OriginalFileName vs download.exe

Source: download.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: download.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004323DC
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004255DC
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0040E9C4
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_004323DC
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_004255DC
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_0040E9C4
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_004323DC
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_004255DC
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_0040E9C4

Source: C:\Users\user\Desktop\download.exe	Code function: String function: 00427848 appears 63 times
Source: C:\Users\user\Desktop\download.exe	Code function: String function: 0040CC60 appears 51 times
Source: C:\Users\user\Desktop\download.exe	Code function: String function: 0040873C appears 54 times

Source: C:\Users\user\Desktop\download.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: unknown	Process created: C:\Users\user\Desktop\download.exe "C:\Users\user\Desktop\download.exe" -install
Source: unknown	Process created: C:\Users\user\Desktop\download.exe "C:\Users\user\Desktop\download.exe" /install
Source: unknown	Process created: C:\Users\user\Desktop\download.exe "C:\Users\user\Desktop\download.exe" /load

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,

Source: download.exe	String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: download.exe	String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: download.exe	String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: download.exe	String found in binary or memory: /LOADINF="filename"

Source: classification engine

Classification label: clean5.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_0041A4DC GetDiskFreeSpaceW,

Source: C:\Users\user\Desktop\download.exe	Automated click: OK
Source: C:\Users\user\Desktop\download.exe	Automated click: OK
Source: C:\Users\user\Desktop\download.exe	Automated click: OK

Source: download.exe

Static file information: File size 1735928 > 1048576

Source: download.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004B5000 push 004B50DEh; ret
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004B5980 push 004B5A48h; ret
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00458000 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0049B03C push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004A00F8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00458084 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004B1084 push 004B10ECh; ret
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004A1094 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0041A0B4 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004270BC push 00427104h; ret
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00458108 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004321C8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004A21D8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0049E1B8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0049A260 push 0049A378h; ret
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00455268 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004252D4 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004592FC push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0045B284 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00430358 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00430370 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00459394 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004A1428 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0049B424 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004A24D8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004224F0 push 004225F4h; ret
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004304F0 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00499490 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00458564 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00458574 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00457574 push ecx; mov dword ptr [esp], ecx

Source: download.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\download.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\download.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\download.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0040AEF4 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_0040AEF4 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_0040AEF4 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\download.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\download.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_00405AE0 cpuid

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_0041C3D8 GetLocalTime,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	25 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
download.exe	4%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	download.exe	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdline	download.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	606090
Start date and time: 08/04/202223:58:49	2022-04-08 23:58:49 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	download.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@3/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 19.7% (good quality ratio 19.5%) Quality average: 77.6% Quality standard deviation: 22.4%
HCA Information:	Successful, ratio: 88% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.54.89.106, 52.152.110.14, 40.112.88.60, 20.54.110.249
Excluded domains from analysis (whitelisted): www.bing.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, sls.update.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.547049237301527
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	download.exe
File size:	1735928
MD5:	a2c883b0e7a1b002b088f52f647f2e2f
SHA1:	0ed075b4c2163cac0463f4f6b7961d0850e1fc05
SHA256:	27d4749a0db6fffdcc3744cb2ed29e8ffa8cc00140ee61faa3a4b0446d512076
SHA512:	4894c7fc90c85a1e1d62a712688e39b3809e090653cf126fc36fe0555843206443612676ec2c9ab5a6df5cb0d62966624e4633abfe0a3f8a7a2e360f2c748dd1
SSDEEP:	24576:N4nXubIQGyxbPV0db26p2iInkk7vhTCxMLM05Zl3dWzXh35FqF+ahOIZDNJxjNh2:Nqe3f6JIPuxMA05Zl3EFqDEoN3jNhntU
TLSH:	0F85CF3FB268653FD4AE0B3245B39350997BBA61A81A8C2F07F0094DCF665701F3B656
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static PE Info

General

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB0F96E [Sun Nov 15 09:48:30 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B10F0h
call 00007FA8C8A17D65h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007FA8C8ABA48Fh
call 00007FA8C8AB9FE2h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FA8C8A2D7D8h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007FA8C8A12957h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004237A4h]
call 00007FA8C8A2E83Fh
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FA8C8ABA517h
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FA8C8AC0AFAh
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007FA8C8A2F134h
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x4800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb361c	0xb3800	False	0.344863934105	data	6.35605820433	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	False	0.544921875	data	5.97275005522	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.360979352679	data	5.04440056201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0xbb000	0x6de8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xc2000	0xf36	0x1000	False	0.3681640625	data	4.89870464796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.75636286825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.87222286659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.38389437522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x4800	0x4800	False	0.314832899306	data	4.41298427192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc74c8	0x128	GLS_BINARY_LSB_FIRST	Dutch	Netherlands
RT_ICON	0xc75f0	0x568	GLS_BINARY_LSB_FIRST	Dutch	Netherlands
RT_ICON	0xc7b58	0x2e8	data	Dutch	Netherlands
RT_ICON	0xc7e40	0x8a8	data	Dutch	Netherlands
RT_STRING	0xc86e8	0x360	data
RT_STRING	0xc8a48	0x260	data
RT_STRING	0xc8ca8	0x45c	data
RT_STRING	0xc9104	0x40c	data
RT_STRING	0xc9510	0x2d4	data
RT_STRING	0xc97e4	0xb8	data
RT_STRING	0xc989c	0x9c	data
RT_STRING	0xc9938	0x374	data
RT_STRING	0xc9cac	0x398	data
RT_STRING	0xca044	0x368	data
RT_STRING	0xca3ac	0x2a4	data
RT_RCDATA	0xca650	0x10	data
RT_RCDATA	0xca660	0x2c4	data
RT_RCDATA	0xca924	0x2c	data
RT_GROUP_ICON	0xca950	0x3e	data	English	United States
RT_VERSION	0xca990	0x584	data	English	United States
RT_MANIFEST	0xcaf14	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454060
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Version Infos

Description	Data
LegalCopyright
FileVersion
CompanyName
Comments	This installation was built with Inno Setup.
ProductName	Inno Script Studio
ProductVersion	1.0
FileDescription	Inno Script Studio Setup
OriginalFileName
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Target ID:	0
Start time:	23:59:45
Start date:	08/04/2022
Path:	C:\Users\user\Desktop\download.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\download.exe" -install
Imagebase:	0x400000
File size:	1735928 bytes
MD5 hash:	A2C883B0E7A1B002B088F52F647F2E2F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Analysis Process: download.exePID: 6696, Parent PID: 2732

General

Target ID:	1
Start time:	23:59:48
Start date:	08/04/2022
Path:	C:\Users\user\Desktop\download.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\download.exe" /install
Imagebase:	0x400000
File size:	1735928 bytes
MD5 hash:	A2C883B0E7A1B002B088F52F647F2E2F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Analysis Process: download.exePID: 6724, Parent PID: 2732

General

Target ID:	2
Start time:	23:59:50
Start date:	08/04/2022
Path:	C:\Users\user\Desktop\download.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\download.exe" /load
Imagebase:	0x400000
File size:	1735928 bytes
MD5 hash:	A2C883B0E7A1B002B088F52F647F2E2F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report download.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: download.exePID: 6644, Parent PID: 2732

General

Analysis Process: download.exePID: 6696, Parent PID: 2732

General

Analysis Process: download.exePID: 6724, Parent PID: 2732

General

Disassembly

Windows Analysis Report
download.exe