Windows
Analysis Report
DrvMonitor.exe
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
- DrvMonitor.exe (PID: 6348 cmdline:
"C:\Users\ user\Deskt op\DrvMoni tor.exe" MD5: 9BA76EB1C36E56F838E0D9E601A96DBC)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
System Summary |
---|
Source: | Window found: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Key opened: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Malware Analysis System Evasion |
---|
Source: | User Timer Set: | ||
Source: | User Timer Set: | ||
Source: | User Timer Set: |
Source: | Registry key queried: | ||
Source: | Registry key queried: | ||
Source: | Registry key queried: | ||
Source: | Registry key queried: | ||
Source: | Registry key queried: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process information queried: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Software Packing | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 2 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
96% | ReversingLabs | Win32.Worm.Generic | ||
84% | Virustotal | Browse |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1501615 |
Start date and time: | 2024-08-30 08:29:46 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Sample name: | DrvMonitor.exe |
Detection: | MAL |
Classification: | mal56.evad.winEXE@1/0@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, login.live.com, settings-win.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
File type: | |
Entropy (8bit): | 7.967014132549632 |
TrID: |
|
File name: | DrvMonitor.exe |
File size: | 205'167 bytes |
MD5: | 9ba76eb1c36e56f838e0d9e601a96dbc |
SHA1: | fbef3d4c790c6399c44e9334961fe4c2b2e85a94 |
SHA256: | 01739ee4fd9805930ea2cfa586ed1bb6d91655771263a7e672fa0ef9ca8b5648 |
SHA512: | 4aa7403b5adc05491fe83d668a320e12e409639b2ff2dac183b8f2583892ea512a9a8fbaf4ef18b50ade312bdc3a3d313fd0840b7dd3aee4b2755eb1064c0177 |
SSDEEP: | 6144:jrTUGXDncBO9CRvpnWA2Q4qLpBZFQNmmN7Am1zoSNQs:lzcmEnv2QHTZFajhAmJoSCs |
TLSH: | 8614124659228ED4F0C243754E1AA43B3464BA0596A6478B9ED0EB5FECB3E0C6B4C31F |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SjS...=...=...=...2...=...b.c.=...b...=..(!...=...`...=..(6...=..($...=...`...=...<.|.=...]...=...c...=...g...=.Rich..=........ |
Icon Hash: | 81e8bebfc1e14125 |
Entrypoint: | 0x46f1c0 |
Entrypoint Section: | UPX1 |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x47D3FE43 [Sun Mar 9 15:12:03 2008 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | db81c626dd6a61c645d4eb4f28fb7c5e |
Instruction |
---|
pushad |
mov esi, 00440000h |
lea edi, dword ptr [esi-0003F000h] |
push edi |
mov ebp, esp |
lea ebx, dword ptr [esp-00003E80h] |
xor eax, eax |
push eax |
cmp esp, ebx |
jne 00007FB7A4DE200Dh |
inc esi |
inc esi |
push ebx |
push 0006D8A7h |
push edi |
add ebx, 04h |
push ebx |
push 0002F1BEh |
push esi |
add ebx, 04h |
push ebx |
push eax |
mov dword ptr [ebx], 00020003h |
nop |
nop |
nop |
nop |
nop |
push ebp |
push edi |
push esi |
push ebx |
sub esp, 7Ch |
mov edx, dword ptr [esp+00000090h] |
mov dword ptr [esp+74h], 00000000h |
mov byte ptr [esp+73h], 00000000h |
mov ebp, dword ptr [esp+0000009Ch] |
lea eax, dword ptr [edx+04h] |
mov dword ptr [esp+78h], eax |
mov eax, 00000001h |
movzx ecx, byte ptr [edx+02h] |
mov ebx, eax |
shl ebx, cl |
mov ecx, ebx |
dec ecx |
mov dword ptr [esp+6Ch], ecx |
movzx ecx, byte ptr [edx+01h] |
shl eax, cl |
dec eax |
mov dword ptr [esp+68h], eax |
mov eax, dword ptr [esp+000000A8h] |
movzx esi, byte ptr [edx] |
mov dword ptr [ebp+00h], 00000000h |
mov dword ptr [esp+60h], 00000000h |
mov dword ptr [eax], 00000000h |
mov eax, 00000300h |
mov dword ptr [esp+64h], esi |
mov dword ptr [esp+5Ch], 00000001h |
mov dword ptr [esp+58h], 00000001h |
mov dword ptr [esp+54h], 00000001h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x70f48 | 0x2c4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x70000 | 0xf48 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
UPX0 | 0x1000 | 0x3f000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
UPX1 | 0x40000 | 0x30000 | 0x2fe00 | 8fd849d73afa247cc44004a1f134999e | False | 0.9946760770234987 | ARC archive data, packed | 7.99710590131113 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x70000 | 0x2000 | 0x1400 | 818b939a8639fcd6b3849565b7aaf41c | False | 0.3603515625 | data | 3.992876329118283 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x7020c | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024 | English | United States | 0.32355595667870035 |
RT_MENU | 0x6bab0 | 0x2c8 | data | English | United States | 1.0154494382022472 |
RT_DIALOG | 0x6bd78 | 0xe8 | data | English | United States | 1.0474137931034482 |
RT_ACCELERATOR | 0x6be60 | 0x48 | data | English | United States | 1.1527777777777777 |
RT_GROUP_ICON | 0x70ab8 | 0x14 | data | English | United States | 1.15 |
RT_VERSION | 0x70ad0 | 0x250 | data | English | United States | 0.49155405405405406 |
RT_MANIFEST | 0x70d24 | 0x221 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5486238532110091 |
DLL | Import |
---|---|
KERNEL32.DLL | LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess |
ADVAPI32.dll | RegCloseKey |
COMCTL32.dll | |
comdlg32.dll | GetOpenFileNameA |
GDI32.dll | BitBlt |
ole32.dll | CoInitialize |
OLEAUT32.dll | OleLoadPicture |
SHELL32.dll | DragFinish |
USER32.dll | GetDC |
VERSION.dll | VerQueryValueA |
WINMM.dll | mixerOpen |
WSOCK32.dll | WSACleanup |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |