Edit tour

Windows Analysis Report
sdbinst.exe.zip

Overview

General Information

Sample Name:	sdbinst.exe.zip
Analysis ID:	648942
MD5:	fa3cd626f6e7f0d33b38a6a794a98d05
SHA1:	51e6683869180f15b61685ad7868d8837d47c56a
SHA256:	5ec7bd48fc7317532bc8664f9a044ee5e6537f530b68c8d8d6a10d2bcb3a13c1

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is start

cmd.exe (PID: 1624 cmdline: "C:\Windows\system32\cmd.exe" MD5: 9D59442313565C2E0860B88BF32B2277)

conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

sdbinst.exe (PID: 6312 cmdline: sdbinst.exe -m -bg MD5: B365F6D8D8B2F42CB499179EA0693B9E)

sdbinst.exe (PID: 1676 cmdline: "C:\Windows\system32\sdbinst.exe" -m -bg MD5: B365F6D8D8B2F42CB499179EA0693B9E)

sdbinst.exe (PID: 3076 cmdline: "C:\Windows\system32\sdbinst.exe" -m -bg MD5: B365F6D8D8B2F42CB499179EA0693B9E)

conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_02

Source: C:\Windows\System32\sdbinst.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: classification engine

Classification label: clean1.winZIP@7/0@0/0

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sdbinst.exe sdbinst.exe -m -bg
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sdbinst.exe "C:\Windows\system32\sdbinst.exe" -m -bg
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sdbinst.exe "C:\Windows\system32\sdbinst.exe" -m -bg
Source: C:\Windows\System32\sdbinst.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sdbinst.exe sdbinst.exe -m -bg

Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link
Source: sdbinst.exe.zip	Joe Sandbox Cloud Basic: Detection: clean Score: 2	Perma Link

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\cmd.exe

Process information set: NOOPENFILEERRORBOX

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sdbinst.exe sdbinst.exe -m -bg

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	11 Process Injection	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	648942
Start date and time: 20/06/202217:37:12	2022-06-20 17:37:12 +02:00
Joe Sandbox Product:	CloudBasic
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	sdbinst.exe.zip
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.winZIP@7/0@0/0
Cookbook Comments:	Found application associated with file extension: .zip Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): rundll32.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, nexusrules.officeapps.live.com
Not all processes where analyzed, report is missing behavior information

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.998272331785959
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	sdbinst.exe.zip
File size:	92498
MD5:	fa3cd626f6e7f0d33b38a6a794a98d05
SHA1:	51e6683869180f15b61685ad7868d8837d47c56a
SHA256:	5ec7bd48fc7317532bc8664f9a044ee5e6537f530b68c8d8d6a10d2bcb3a13c1
SHA512:	85e8310c445f625b243137d9c8c49b2b62efcced10acfce4b4a6f93b213bfeed5ed13c083cefc718e0a8534800e437fa7ee5f6f5f47187b1b0f0ef8bc2a302f2
SSDEEP:	1536:iszwWQe6l23zCN0sGcDO8NLY6IREedhGQVK/kKvX4sHTv0rKT5bD3C:pvQ/eCNv9OMLY6ItdgwK/MrKdPC
TLSH:	919312F82098C4D281CC9A99A78F136D663E089D8E2F2B2D1F45E6BF1054F5F17245DA
File Content Preview:	PK.........x.Tm....h...@......sdbinst.exe.d...V. .C(./.?...v..zr8..D.........y.xJ......f.o...u3......H.....AS.'..q..lB.R......u./....B^!]S.......\2VX.._...3"......_.M.....Z.X.....3,.[fC.s.w.....:........\..4.).&.V7.(..............I#...!T.O.l.......hc.]\|

File Icon


Icon Hash:	f4ccccccccccccdc

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sdbinst.exe.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

Static File Info

General

File Icon

Windows Analysis Report
sdbinst.exe.zip