Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
J0YZ3B2MaR.exe

Overview

General Information

Sample name:J0YZ3B2MaR.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:aacc7f8ef0641f3e4589e5ad51a7a4e4be2bbca507179b3de00d528e9b89802d
Analysis ID:1520420
MD5:6407f11a5a777273e3c84f7f2e601cfa
SHA1:237818b28724b8eca6166bcb6b7c2dc1dee13abc
SHA256:aacc7f8ef0641f3e4589e5ad51a7a4e4be2bbca507179b3de00d528e9b89802d

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Enables debug privileges
Enables security privileges
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • J0YZ3B2MaR.exe (PID: 6316 cmdline: "C:\Users\user\Desktop\J0YZ3B2MaR.exe" MD5: 6407F11A5A777273E3C84F7F2E601CFA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: J0YZ3B2MaR.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\Desktop\J0YZ3B2MaR.exeProcess token adjusted: SecurityJump to behavior
Source: J0YZ3B2MaR.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\J0YZ3B2MaR.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\J0YZ3B2MaR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\J0YZ3B2MaR.exeSection loaded: apphelp.dllJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon.png
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\J0YZ3B2MaR.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\J0YZ3B2MaR.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\J0YZ3B2MaR.exeProcess token adjusted: DebugJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
J0YZ3B2MaR.exe3%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1520420
Start date and time:2024-09-27 10:49:54 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:J0YZ3B2MaR.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:aacc7f8ef0641f3e4589e5ad51a7a4e4be2bbca507179b3de00d528e9b89802d
Detection:MAL
Classification:mal48.winEXE@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • VT rate limit hit for: J0YZ3B2MaR.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.224011389921336
TrID:
  • Win32 Executable (generic) a (10002005/4) 97.38%
  • Win32 Executable Borland Delphi 6 (262906/60) 2.56%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:J0YZ3B2MaR.exe
File size:43'008 bytes
MD5:6407f11a5a777273e3c84f7f2e601cfa
SHA1:237818b28724b8eca6166bcb6b7c2dc1dee13abc
SHA256:aacc7f8ef0641f3e4589e5ad51a7a4e4be2bbca507179b3de00d528e9b89802d
SHA512:6bae33de1a2bec58ae72cefa8d3ed1c58c8e4f15221f0141e15eea76cda56baf84a97fb3567759191174863c9743e3f2d938e0c9393d0e22fb6752c0f0718993
SSDEEP:768:dC7qAQBjwRHVzvjWxWYCLo6sil9lgjRpe6JtQ9PKn23+34ytuvOHPQIh8x:s7qAQU1zCPioAgjjn2w0GvGx
TLSH:7D135B17A6E19C70E860CBBC1C38A219EA3FBD306C7D46BAA774598D4C256C14CC9377
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:c1692e1f373f1307

Static PE Info

General

Entrypoint:0x408648
Entrypoint Section:CODE
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:e50f70effc626cdae406defa6be365d4

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFECh
xor eax, eax
mov dword ptr [ebp-14h], eax
mov eax, 004085F8h
call 00007F0974ED5348h
xor eax, eax
push ebp
push 00408696h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
lea edx, dword ptr [ebp-14h]
mov eax, 00000001h
call 00007F0974ED34F5h
mov eax, dword ptr [ebp-14h]
call 00007F0974ED91EDh
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
push 0040869Dh
lea eax, dword ptr [ebp-14h]
call 00007F0974ED44D0h
ret
jmp 00007F0974ED3EF2h
jmp 00007F0974ED93F2h
call 00007F0974ED43D3h
mov eax, eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xb0000x6f2.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1200.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xbe0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xd0000x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
CODE0x10000x76a40x7800834e4a567a6a4aa12d2c4fd9d5409f61False0.58740234375data6.445222784630054IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA0x90000x3fc0x4004f34116f2289d19a175dee7e174c73c6False0.48828125Matlab v4 mat-file (little endian) , numeric, rows 0, columns 42304023.910423216917626IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS0xa0000x8010x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0xb0000x6f20x800b1a0545c402013b2eb0876789121ced6False0.38232421875data4.131703186873021IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0xc0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0xd0000x180x20031162c9a6c33a3466b9d89ba82106627False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc0xe0000xbe00xc00b72701ebd8ab03203bcac7a60ea69818False0.8118489583333334data6.5478600429947935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc0xf0000x12000x1200331dda00ed61b51003e922d01917d4d7False0.3433159722222222data3.5299525385068367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xf2580x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512GermanGermany0.5013440860215054
RT_STRING0xf5400xf0data0.4666666666666667
RT_STRING0xf6300xd8data0.5740740740740741
RT_STRING0xf7080x260data0.4457236842105263
RT_STRING0xf9680x37cdata0.4080717488789238
RT_STRING0xfce40x2a0data0.4017857142857143
RT_RCDATA0xff840x10data1.5
RT_RCDATA0xff940x64data0.99
RT_GROUP_ICON0xfff80x14dataGermanGermany1.2

Imports

DLLImport
kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, WideCharToMultiByte, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dllSysFreeString
kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dllOpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges
kernel32.dllWriteFile, VirtualQuery, TerminateProcess, OpenProcess, LoadLibraryA, GetVersionExA, GetThreadLocale, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetDiskFreeSpaceA, GetCurrentProcess, GetCPInfo, GetACP, EnumCalendarInfoA, CloseHandle
user32.dllMessageBoxA, LoadStringA, GetSystemMetrics, CharNextA, CharToOemA

Possible Origin

Language of compilation systemCountry where language is spokenMap
GermanGermany

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:04:50:44
Start date:27/09/2024
Path:C:\Users\user\Desktop\J0YZ3B2MaR.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\J0YZ3B2MaR.exe"
Imagebase:0x400000
File size:43'008 bytes
MD5 hash:6407F11A5A777273E3C84F7F2E601CFA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:low
Has exited:true

Disassembly

No disassembly