Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
wpbbin.exe

Overview

General Information

Sample Name:wpbbin.exe
Analysis ID:734790
MD5:e92a370fca78acdbc0759bb55bf97c37
SHA1:664675bbc622cc6309e53a27ac5da7ce86530cf2
SHA256:e3c22ed10c7c6dd40393cc24cffa18981f9c43390014764cd6ef95693c09ef2f
Errors
  • Corrupt sample or wrongly selected analyzer. Details: C000007B

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sample file is different than original file name gathered from version info
Program does not show much activity (idle)
PE file contains sections with non-standard names

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • wpbbin.exe (PID: 3316 cmdline: C:\Users\user\Desktop\wpbbin.exe MD5: E92A370FCA78ACDBC0759BB55BF97C37)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: wpbbin.exeStatic PE information: certificate valid
Source: Binary string: D:\codes\ArmouryCrate\Others\sw\dlagent\AsusUpdateCheck\x64\Release\AsusUpdateCheck.pdb source: wpbbin.exe
Source: wpbbin.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wpbbin.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: wpbbin.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: wpbbin.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wpbbin.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wpbbin.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: wpbbin.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: wpbbin.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: wpbbin.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wpbbin.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: wpbbin.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: wpbbin.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wpbbin.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: wpbbin.exeString found in binary or memory: http://ocsp.digicert.com0H
Source: wpbbin.exeString found in binary or memory: http://ocsp.digicert.com0I
Source: wpbbin.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: wpbbin.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: wpbbin.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: wpbbin.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: wpbbin.exe, 00000003.00000000.287052245.0000000000404000.00000008.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameAsusDownLoadLicense.exeH vs wpbbin.exe
Source: wpbbin.exeBinary or memory string: OriginalFilenameAsusDownLoadLicense.exeH vs wpbbin.exe
Source: wpbbin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wpbbin.exeString found in binary or memory: -install to install the service.
Source: wpbbin.exeString found in binary or memory: Q-Installer
Source: wpbbin.exeString found in binary or memory: by ASUS Q-Installer
Source: wpbbin.exeString found in binary or memory: by Q-Installer
Source: wpbbin.exeString found in binary or memory: ?;ASUS Q-Installer automatisch herunterladen und installieren
Source: wpbbin.exeString found in binary or memory: ?;Mit Hilfe von Q-Installer k
Source: wpbbin.exeString found in binary or memory: chten, klicken Sie auf "Installieren", um Q-Installer zu installieren und auszuf
Source: wpbbin.exeString found in binary or memory: 73Das Q-Installationsprogramm wird heruntergeladen
Source: wpbbin.exeString found in binary or memory: 73Download and install ASUS Q-Installer automatically
Source: wpbbin.exeString found in binary or memory: *&Q-Installer helps you install drivers.
Source: wpbbin.exeString found in binary or memory: RNIf you would like to continue, click "Install" to install and run Q-Installer.
Source: wpbbin.exeString found in binary or memory: Downloading Q-Installer
Source: wpbbin.exeString found in binary or memory: :6Descargar e instalar ASUS Q-Installer autom
Source: wpbbin.exeString found in binary or memory: 2.Q-Installer le ayuda a instalar controladores.
Source: wpbbin.exeString found in binary or memory: UQSi desea continuar, haga clic en "Instalar" para instalar y ejecutar Q-Installer.
Source: wpbbin.exeString found in binary or memory: Descargando Q-Installer
Source: wpbbin.exeString found in binary or memory: charger et installer ASUS Q-Installer automatiquement
Source: wpbbin.exeString found in binary or memory: 3/Q-Installer vous aide
Source: wpbbin.exeString found in binary or memory: cuter Q-Installer.
Source: wpbbin.exeString found in binary or memory: chargement de Q-Installer en cours...
Source: wpbbin.exeString found in binary or memory: @<Installazione di aggiornamento del servizio ASUS Q-Installer
Source: wpbbin.exeString found in binary or memory: ?;Download aggiornamento del servizio Q-Installer in corso...
Source: wpbbin.exeString found in binary or memory: ASUS Q-Installer
Source: wpbbin.exeString found in binary or memory: RNQ-Installer
Source: wpbbin.exeString found in binary or memory: Q-Installer
Source: wpbbin.exeString found in binary or memory: 73Q-Installer
Source: wpbbin.exeString found in binary or memory: D@ASUS Q-Installer
Source: wpbbin.exeString found in binary or memory: 84Q-Installer
Source: wpbbin.exeString found in binary or memory: Q-Installer
Source: wpbbin.exeString found in binary or memory: &"Q-Installer
Source: wpbbin.exeString found in binary or memory: ASUS Q-Installer
Source: wpbbin.exeString found in binary or memory: EAQ-Installer
Source: wpbbin.exeString found in binary or memory: Q-Installer.
Source: wpbbin.exeString found in binary or memory: Q-Installer...
Source: wpbbin.exeString found in binary or memory: yuQ-Installer
Source: wpbbin.exeString found in binary or memory: +'Q-Installer
Source: wpbbin.exeString found in binary or memory: fbQ-Installer
Source: classification engineClassification label: unknown1.winEXE@1/0@0/0
Source: wpbbin.exeStatic file information: File size 1223640 > 1048576
Source: wpbbin.exeStatic PE information: certificate valid
Source: wpbbin.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x11c800
Source: Binary string: D:\codes\ArmouryCrate\Others\sw\dlagent\AsusUpdateCheck\x64\Release\AsusUpdateCheck.pdb source: wpbbin.exe
Source: wpbbin.exeStatic PE information: section name: .xdata
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: wpbbin.exeBinary or memory string: MS P Gothic%Shell_TrayWnd zero-Shell_TrayWnd mMaxWait
Source: wpbbin.exeBinary or memory string: Shell_TrayWnd/Shell_TrayWnd init zero'Shell_TrayWnd exist3after InitializeComponent

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter		Path Interception1
Process Injection		1
Process Injection		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 734790 Sample: wpbbin.exe Startdate: 01/11/2022 Architecture: WINDOWS Score: 1 4 wpbbin.exe 2->4         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
wpbbin.exe1%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:734790
Start date and time:2022-11-01 01:03:49 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 18s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:wpbbin.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:UNKNOWN
Classification:unknown1.winEXE@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 5
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis
  • Corrupt sample or wrongly selected analyzer. Details: C000007B
  • Exclude process from analysis (whitelisted): SgrmBroker.exe, svchost.exe
  • Execution Graph export aborted for target wpbbin.exe, PID 3316 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (native) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):7.204393002117822
TrID:
  • Win64 Device Driver (generic) (12004/3) 74.80%
  • Generic Win/DOS Executable (2004/3) 12.49%
  • DOS Executable Generic (2002/1) 12.48%
  • VXD Driver (31/22) 0.19%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:wpbbin.exe
File size:1223640
MD5:e92a370fca78acdbc0759bb55bf97c37
SHA1:664675bbc622cc6309e53a27ac5da7ce86530cf2
SHA256:e3c22ed10c7c6dd40393cc24cffa18981f9c43390014764cd6ef95693c09ef2f
SHA512:fa0dbb4c5fe7a46f7f7cee53c8128917fb37cf556378f9a2d19e954ab7eabda8b170791d49b4df2e8be3aa9f4f9e051508d38ffd9399fa7c509544586baf9995
SSDEEP:24576:j6XC8RIDpuEJbpDVOF+YR7u8reB+InKvd1TGW:2NmpHbTOF+yFgnKzTGW
TLSH:1645BEC5629704B5E5E681384462953DF2337C7677E1C7DB029FA16B2E326908E3EB32
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....=.a....M.....'......$..........E2........@..............................p......z?........ ............................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x403245
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:native
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:FORCE_INTEGRITY
Time Stamp:0x61133DA4 [Wed Aug 11 03:01:56 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:15c933847608b417aa7d6332ff914f66

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 3/31/2019 5:00:00 PM 1/11/2022 4:00:00 AM
Subject Chain
  • CN=ASUSTeK Computer Inc., O=ASUSTeK Computer Inc., L=Taipei City, C=TW, SERIALNUMBER=23638777, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=TW
Version:3
Thumbprint MD5:41149C9B9F541245A790D358D3E16C73
Thumbprint SHA-1:6DB60532FC698CA1A387A5E2BD257CAF30E6B36D
Thumbprint SHA-256:628B7BF8CC7D614D7D24A450C2817397FE4D8544A192F99C2D29AF7C7A98272F
Serial:0C64962E4467EDCC1579646B7337EC8C
Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
call 00007F03A8A78F23h
call 00007F03A8A7925Ah
call 00007F03A8A78F9Ch
call 00007F03A8A79393h
call 00007F03A8A78F3Eh
nop
dec eax
add esp, 20h
pop ebp
ret
nop
nop
nop
jmp dword ptr [00122042h]
nop
nop
jmp dword ptr [00122032h]
nop
nop
jmp dword ptr [00122022h]
nop
nop
jmp dword ptr [00122012h]
nop
nop
jmp dword ptr [00122002h]
nop
nop
jmp dword ptr [00121FF2h]
nop
nop
jmp dword ptr [00121FE2h]
nop
nop
jmp dword ptr [00121FD2h]
nop
nop
jmp dword ptr [00121FC2h]
nop
nop
jmp dword ptr [00121FB2h]
nop
nop
jmp dword ptr [00121FA2h]
nop
nop
jmp dword ptr [00121F92h]
nop
nop
jmp dword ptr [00121F82h]
nop
nop
jmp dword ptr [00121F72h]
nop
nop
jmp dword ptr [00121F62h]
nop
nop
jmp dword ptr [00121F52h]
nop
nop
jmp dword ptr [00121F42h]
nop
nop
jmp dword ptr [00121F32h]
nop
nop
jmp dword ptr [00121F22h]
nop
nop
jmp dword ptr [00121F12h]
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1250000x624.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x1260000x268.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1220000x1e0.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x123d600x6e78
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1251780x150.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x23e00x2400False0.4048394097222222data5.478017291979394IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x40000x11c7400x11c800False0.5974554454086116data7.225524033860887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x1210000x7800x800False0.35302734375data4.387951750965196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata0x1220000x1e00x200False0.517578125data3.9992360356246457IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata0x1230000x1f00x200False0.283203125data3.5754301813321585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x1240000x180x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x1250000x6240x800False0.27685546875data3.547836509148556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x1260000x2680x400False0.30078125data2.080031547408184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
NameRVASizeTypeLanguageCountry
RT_VERSION0x1260580x210dataEnglishUnited States
DLLImport
ntdll.dllNtClose, NtCreateFile, NtDelayExecution, NtDeleteKey, NtDeleteValueKey, NtDisplayString, NtFsControlFile, NtOpenKey, NtQueryAttributesFile, NtQueryInformationFile, NtQuerySystemTime, NtQueryValueKey, NtReadFile, NtSetInformationFile, NtSetValueKey, NtTerminateProcess, NtWriteFile, RtlAllocateHeap, RtlCreateHeap, RtlDestroyHeap, RtlDosPathNameToNtPathName_U, RtlFreeHeap, RtlFreeUnicodeString, RtlInitUnicodeString, RtlSystemTimeToLocalTime, RtlTimeToTimeFields, ZwClose, ZwCreateKey, ZwFlushBuffersFile, ZwWriteFile, _snwprintf, memcpy, memset, sprintf, strcat, strcmp, strlen, vsprintf_s, vswprintf_s, wcscat, wcslen

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

0246810s020406080100

Click to jump to process

Memory Usage

0246810sMB

Click to jump to process

System Behavior

General

Target ID:3
Start time:01:04:38
Start date:01/11/2022
Path:C:\Users\user\Desktop\wpbbin.exe
Wow64 process (32bit):false
Commandline:C:\Users\user\Desktop\wpbbin.exe
Imagebase:0x400000
File size:1223640 bytes
MD5 hash:E92A370FCA78ACDBC0759BB55BF97C37
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Disassembly

Non-executed Functions

Strings
Memory Dump Source
  • Source File: 00000003.00000002.287286426.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000002.287281760.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287291597.0000000000404000.00000008.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287548803.0000000000521000.00000002.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287556102.0000000000525000.00000008.00000001.01000000.00000004.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_400000_wpbbin.jbxd
Similarity
  • API ID:
  • String ID: %systemroot%\System32\AsusUpdateCheck.exe$AsusUpdateCheck$DisplayName$ErrorControl$ImagePath$LocalSystem$ObjectName$Start$Type$\SYSTEM\CurrentControlSet\Services\AsusUpdateCheck$onWriteDwoardRegKey SUCESS$onWriteDwoardRegKey fail$onWriteStringRegKey SUCESS$onWriteStringRegKey fail$open handle Services fail$open handle Services sucess
  • API String ID: 0-3765923178
  • Opcode ID: 2ece0db947540bfa013a7f06838f5109905636c6ec77b3c440adedca1adfb62f
  • Instruction ID: 961da6c9385ff79b20df5069fdb9dca77b2de92219eb963d2615e336ef212b46
  • Opcode Fuzzy Hash: 2ece0db947540bfa013a7f06838f5109905636c6ec77b3c440adedca1adfb62f
  • Instruction Fuzzy Hash: 1781E475A11E0999EF04DF66EC8439A3771FBA9BCAF044426CD0D27B64DE78C245CB88
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000003.00000002.287286426.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000002.287281760.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287291597.0000000000404000.00000008.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287548803.0000000000521000.00000002.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287556102.0000000000525000.00000008.00000001.01000000.00000004.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_400000_wpbbin.jbxd
Similarity
  • API ID:
  • String ID: 0$4$6$Open register fail %lx$Open register successfully$\Registry\Machine\SOFTWARE
  • API String ID: 0-3144224826
  • Opcode ID: 8db929dcb7c8635029490e5e4309f7128718ccf3f4a3cc7d2cce77da352c0985
  • Instruction ID: 069aee9be55629dd4136c9dc146f200e6ccb73b6744d98ca1fcea9a99dd12269
  • Opcode Fuzzy Hash: 8db929dcb7c8635029490e5e4309f7128718ccf3f4a3cc7d2cce77da352c0985
  • Instruction Fuzzy Hash: 0211E676B21F10D9EB00CBA5E88439E3774BB45B89F544016CE0C2BB68DB78C649CB48
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000003.00000002.287286426.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000002.287281760.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287291597.0000000000404000.00000008.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287548803.0000000000521000.00000002.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287556102.0000000000525000.00000008.00000001.01000000.00000004.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_400000_wpbbin.jbxd
Similarity
  • API ID:
  • String ID: @ $0$@$NtCreateFile fail status %lx$RtlDosPathNameToNtPathName_U fail =%lx
  • API String ID: 0-142253081
  • Opcode ID: c234bdf7421fbd99af9ce0e526d2588bb8ba9aea1ab16a0a25dea6baac219048
  • Instruction ID: c7aeffd1ae133fe6227d4828e4faaa07bd11b11e11165624eca558e4b46a78de
  • Opcode Fuzzy Hash: c234bdf7421fbd99af9ce0e526d2588bb8ba9aea1ab16a0a25dea6baac219048
  • Instruction Fuzzy Hash: 74410772B14B409EE714CFA5D89839E3BB0F34578CF14405ADE492BB98CBBD8648CB84
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000003.00000002.287286426.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000002.287281760.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287291597.0000000000404000.00000008.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287548803.0000000000521000.00000002.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287556102.0000000000525000.00000008.00000001.01000000.00000004.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_400000_wpbbin.jbxd
Similarity
  • API ID:
  • String ID: FileWrite fail$W2@$\SystemRoot\System32\AsusUpdateCheck.exe$close file fail$open file fail
  • API String ID: 0-4064018874
  • Opcode ID: 210bcd391451b4ac16971ecab359f5dc7a1a4245dfcea3d70728941de506fbc2
  • Instruction ID: 37a86437868a291efa7a7778f9cc81e0ba9557b504ac542d49b1f248c3fd6791
  • Opcode Fuzzy Hash: 210bcd391451b4ac16971ecab359f5dc7a1a4245dfcea3d70728941de506fbc2
  • Instruction Fuzzy Hash: B931EA75B10E1489EB00CFA6EC8439E37B4F759B89F044066DE0DA7B58DB7DD6448B44
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000003.00000002.287286426.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000002.287281760.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287291597.0000000000404000.00000008.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287548803.0000000000521000.00000002.00000001.01000000.00000004.sdmpDownload File
  • Associated: 00000003.00000002.287556102.0000000000525000.00000008.00000001.01000000.00000004.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_400000_wpbbin.jbxd
Similarity
  • API ID:
  • String ID: @ $0$@$NtCreateFile fail status %lx
  • API String ID: 0-3442546086
  • Opcode ID: dbee5ef8e5ff837da9e9bdfb5af43b431fcbf74e8b641313413a5003436e0beb
  • Instruction ID: 95c413bd034e17276557ef62e536c2ea26c01353cd77241bd25eb566ab1ed1ca
  • Opcode Fuzzy Hash: dbee5ef8e5ff837da9e9bdfb5af43b431fcbf74e8b641313413a5003436e0beb
  • Instruction Fuzzy Hash: E631E972A147809EF710CFA4E89839E3BB0F35534CF54415AEF4967B98C7B98648CB84
Uniqueness

Uniqueness Score: -1.00%