Windows
Analysis Report
alternateshell.exe
Overview
General Information
Detection
Score: | 4 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
alternateshell.exe (PID: 6636 cmdline:
"C:\Users\ user\Deskt op\alterna teshell.ex e" MD5: 9EC3D89978C9A2EA2A7454D2913D79D2)
- cleanup
- • Compliance
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_0009336B |
Source: | Code function: | 0_2_000926B8 |
Source: | Evasive API call chain: | graph_0-2676 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_0009336B |
Source: | Code function: | 0_2_00092E19 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00092E19 | |
Source: | Code function: | 0_2_00091439 |
Source: | Code function: | 0_2_0009284F |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Native API | Path Interception | Path Interception | 1 Obfuscated Files or Information | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Metadefender | Browse | ||
0% | ReversingLabs |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 614316 |
Start date and time: 23/04/202210:59:43 | 2022-04-23 10:59:43 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 2m 25s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | alternateshell.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean4.winEXE@1/0@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): BackgroundTrans ferHost.exe, backgroundTaskHos t.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 20.40.136.238 - Excluded domains from analysis
(whitelisted): iris-de-prod-a zsc-frc-b.francecentral.clouda pp.azure.com, store-images.s-m icrosoft.com, arc.trafficmanag er.net, arc.msn.com
File type: | |
Entropy (8bit): | 6.106728522496812 |
TrID: |
|
File name: | alternateshell.exe |
File size: | 97992 |
MD5: | 9ec3d89978c9a2ea2a7454d2913d79d2 |
SHA1: | 178f6491b30329f7946d0ba2c9d484e7d363ec6d |
SHA256: | 7acd2e8f32235743d25b48d9b679b553e60a6348e13edd4f7eab6aee79fefe2c |
SHA512: | 0d06435bcf7b5e1b7cb4d13ecff8048e8ed90dda953dab9ba5fddb7467d6474ca57a3d070feb5162b55e070ead2087ba4ab39ef4b0989ed0684bda84275c8f9b |
SSDEEP: | 1536:6iysMsz9FI3Fs6Z4HLN72NBNhFaaDvsoAKQ3XDk/wXiv:ssMs5W3u6yHWBVU/nY/wk |
TLSH: | BAA36C82B690C4B2D47D4A3068B7D6A1193F7C52BA70521F36BEB36D1FB2392147931B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.....mY..mY..mYd^.Yu.mYd^.Yw.mYd^.YF.mYv..Yx.mY..lY8.mYd^.Y~.mYd^.Y~.mYd^.Y~.mYRich..mY........PE..L....A_Y.................H. |
Icon Hash: | f8f09a9ab6e2c478 |
Entrypoint: | 0x40142f |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x595F41C6 [Fri Jul 7 08:09:42 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 6c22b430b335a4c5df9dfac22085a338 |
Signature Valid: | true |
Signature Issuer: | CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | A628AE2A47F43E753AFCE759375AE223 |
Thumbprint SHA-1: | 0A5056EF8D5A22AA72B8B23E6D8F481D578ED32D |
Thumbprint SHA-256: | 5F7AFAC78212668738727EB174DC5D4DE230EC739A7904AC191804D5C6368C49 |
Serial: | 4656DAA8B8B1F3E94BB8DBC46B5026C6 |
Instruction |
---|
call 00007F5A444BE6B0h |
jmp 00007F5A444BD12Ah |
cmp ecx, dword ptr [00409050h] |
jne 00007F5A444BD294h |
rep ret |
jmp 00007F5A444BE737h |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
mov edx, eax |
mov cx, word ptr [eax] |
add eax, 02h |
test cx, cx |
jne 00007F5A444BD287h |
mov cx, word ptr [ebp+0Ch] |
sub eax, 02h |
cmp eax, edx |
je 00007F5A444BD297h |
cmp word ptr [eax], cx |
jne 00007F5A444BD286h |
cmp word ptr [eax], cx |
je 00007F5A444BD294h |
xor eax, eax |
pop ebp |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
push ebx |
mov ebx, dword ptr [ebp+0Ch] |
cmp word ptr [ebx], 0000h |
push edi |
mov edi, eax |
je 00007F5A444BD2D5h |
movzx ecx, word ptr [eax] |
test cx, cx |
je 00007F5A444BD2CBh |
mov edx, ecx |
sub eax, ebx |
mov ecx, dword ptr [ebp+0Ch] |
test dx, dx |
je 00007F5A444BD2ABh |
movzx edx, word ptr [ecx] |
test dx, dx |
je 00007F5A444BD2BDh |
movzx ebx, word ptr [eax+ecx] |
sub ebx, edx |
jne 00007F5A444BD29Bh |
add ecx, 02h |
cmp word ptr [eax+ecx], bx |
jne 00007F5A444BD279h |
cmp word ptr [ecx], 0000h |
je 00007F5A444BD2A6h |
add edi, 02h |
movzx edx, word ptr [edi] |
add eax, 02h |
test dx, dx |
jne 00007F5A444BD25Dh |
xor eax, eax |
pop edi |
pop ebx |
pop ebp |
ret |
mov eax, edi |
jmp 00007F5A444BD28Ah |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
mov eax, dword ptr [eax] |
cmp dword ptr [eax], E06D7363h |
jne 00007F5A444BD2BCh |
cmp dword ptr [eax+10h], 03h |
jne 00007F5A444BD2B6h |
mov eax, dword ptr [eax+14h] |
cmp eax, 19930520h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7b0c | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb000 | 0xdd20 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x16200 | 0x1cc8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x19000 | 0x5cc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6140 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x7890 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6000 | 0x10c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x46a2 | 0x4800 | False | 0.616048177083 | data | 6.46027549604 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x6000 | 0x2142 | 0x2200 | False | 0.340533088235 | data | 4.71286861664 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x18c0 | 0xc00 | False | 0.213216145833 | data | 2.47173833754 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0xb000 | 0xdd20 | 0xde00 | False | 0.439629082207 | data | 5.66526402542 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x19000 | 0x81c | 0xa00 | False | 0.515625 | data | 4.62724530341 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xb388 | 0xa68 | dBase IV DBT of \200.DBF, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0xbdf0 | 0x668 | data | English | United States |
RT_ICON | 0xc458 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2415919103, next used block 7376776 | English | United States |
RT_ICON | 0xc740 | 0x1e8 | data | English | United States |
RT_ICON | 0xc928 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0xca50 | 0x1628 | dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4009030900, next used block 4008636142 | English | United States |
RT_ICON | 0xe078 | 0xea8 | data | English | United States |
RT_ICON | 0xef20 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0xf7c8 | 0x6c8 | data | English | United States |
RT_ICON | 0xfe90 | 0x568 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0x103f8 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4294901760 | English | United States |
RT_ICON | 0x14620 | 0x25a8 | data | English | United States |
RT_ICON | 0x16bc8 | 0x10a8 | data | English | United States |
RT_ICON | 0x17c70 | 0x988 | data | English | United States |
RT_ICON | 0x185f8 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_GROUP_ICON | 0x18a60 | 0xd8 | data | English | United States |
RT_MANIFEST | 0x18b38 | 0x1e8 | ASCII text, with very long lines, with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | GetCommandLineW, WaitForSingleObject, GetExitCodeProcess, GetFileAttributesW, GetModuleFileNameW, SetCurrentDirectoryW, CloseHandle, GetStringTypeW, MultiByteToWideChar, LCMapStringW, HeapReAlloc, HeapAlloc, GetCommandLineA, HeapSetInformation, SetUnhandledExceptionFilter, GetProcAddress, GetModuleHandleW, ExitProcess, DecodePointer, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, HeapFree, Sleep, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, HeapSize, IsProcessorFeaturePresent |
USER32.dll | MessageBoxW |
SHELL32.dll | ShellExecuteExW, CommandLineToArgvW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 11:00:41 |
Start date: | 23/04/2022 |
Path: | C:\Users\user\Desktop\alternateshell.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x90000 |
File size: | 97992 bytes |
MD5 hash: | 9EC3D89978C9A2EA2A7454D2913D79D2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 10.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 3.4% |
Total number of Nodes: | 972 |
Total number of Limit Nodes: | 18 |
Graph
Control-flow Graph
C-Code - Quality: 95% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 25% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 85% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 62% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 91% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 80% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 77% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |