Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LV1tuFUlee.exe

Overview

General Information

Sample name:LV1tuFUlee.exe
renamed because original name is a hash value
Original sample name:b4584d84d9fcaec7a66a357904cd5f32.exe
Analysis ID:1521400
MD5:b4584d84d9fcaec7a66a357904cd5f32
SHA1:ef9110d83bee93110eb2c1681185b94210dea722
SHA256:7cd506f9ba1aa8e69dbe914d28991ba7470277fdb273626dbe606c1abf5e6daf
Tags:exeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

PE file does not import any functions
PE file overlay found
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: LV1tuFUlee.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: LV1tuFUlee.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: LV1tuFUlee.exeStatic PE information: No import functions for PE file found
Source: LV1tuFUlee.exeStatic PE information: Data appended to the last section found
Source: LV1tuFUlee.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: unknown1.winEXE@0/0@1/0
Source: LV1tuFUlee.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LV1tuFUlee.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LV1tuFUlee.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: LV1tuFUlee.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x5ec600
Source: LV1tuFUlee.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: LV1tuFUlee.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
LV1tuFUlee.exe3%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
time.windows.com
unknown
unknownfalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1521400
    Start date and time:2024-09-28 08:41:01 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 28s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:7
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:LV1tuFUlee.exe
    renamed because original name is a hash value
    Original Sample Name:b4584d84d9fcaec7a66a357904cd5f32.exe
    Detection:UNKNOWN
    Classification:unknown1.winEXE@0/0@1/0
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Unable to launch sample, stop analysis

    Errors

    • No process behavior to analyse as no analysis process or sample was found
    • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 20.101.57.9
    • Excluded domains from analysis (whitelisted): twc.trafficmanager.net
    • VT rate limit hit for: LV1tuFUlee.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Entropy (8bit):5.478462544789037
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.94%
    • Win16/32 Executable Delphi generic (2074/23) 0.02%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:LV1tuFUlee.exe
    File size:77'873 bytes
    MD5:b4584d84d9fcaec7a66a357904cd5f32
    SHA1:ef9110d83bee93110eb2c1681185b94210dea722
    SHA256:7cd506f9ba1aa8e69dbe914d28991ba7470277fdb273626dbe606c1abf5e6daf
    SHA512:5c73c4d0bd082ed45cb91352cd805fc31a9b67275603e7d817e35e77efcf2d8b13db93dcfd608144c3866bfb4aa123dae07d6af90be9f84d13df2c23677cdee5
    SSDEEP:1536:LcmpxNSuytXDK4L5W6Ce7/tc0WDhM0xGqxXoUXQsm6Szv:RMXDKv7ezVsnXPXQs/cv
    TLSH:1273EC2F7F149D71D0001B72CCD9C6F00FA82B216A92D66975B632AEE9153AEDCCD05E
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~..f..................^...........^.. ...._...@.. .......................@a...........@................................

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x9ee52e
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Time Stamp:0x66B5A57E [Fri Aug 9 05:13:34 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:

    Authenticode Signature

    Signature Valid:
    Signature Issuer:
    Signature Validation Error:
    Error Number:
    Not Before, Not After
      Subject Chain
        Version:
        Thumbprint MD5:
        Thumbprint SHA-1:
        Thumbprint SHA-256:
        Serial:

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x5ee4e00x4b.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x5f20000x1f70c.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x60c8000x36b0.rsrc
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x6120000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x5ee4980x1c.text
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000x5ec5340x5ec6009987c5ec7d5277d4dec95816ce80e7a9unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .sdata0x5f00000x2800x400d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x5f20000x1f70c0x1f800d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x6120000xc0x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Network Behavior

        Network Port Distribution

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Sep 28, 2024 08:42:02.023763895 CEST6021853192.168.2.71.1.1.1

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Sep 28, 2024 08:42:02.023763895 CEST192.168.2.71.1.1.10x9776Standard query (0)time.windows.comA (IP address)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Sep 28, 2024 08:42:02.030522108 CEST1.1.1.1192.168.2.70x9776No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

        Statistics

        No statistics

        System Behavior

        No system behavior

        Disassembly

        No disassembly