Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1521604 |
| MD5: | 4fed3d45c6e03e3c723f2bae2678b6ca |
| SHA1: | b6c5a52d130573f8facba126caf3f5f50c7e8d69 |
| SHA256: | 36dbd88e04005441a30022160e04c365b046526b4a384d6b32262f277746b7fe |
| Tags: | NETexeMSILuser-jstrosch |
| Infos: | |
 | |
Detection
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
file.exe (PID: 7348 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 4FED3D45C6E03E3C723F2BAE2678B6CA) - update.exe (PID: 7936 cmdline:
"C:\Users\ user\Deskt op\update. exe" mmopa radox MD5: C759782F6ADB12299D675EC619B53572)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-29T01:01:56.603926+0200 | 2827449 | 1 | Attempted User Privilege Gain | 194.233.88.151 | 80 | 192.168.2.9 | 49716 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-29T01:01:43.998751+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.9 | 49713 | 194.233.88.151 | 80 | TCP |
| 2024-09-29T01:01:50.164661+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.9 | 49714 | 194.233.88.151 | 80 | TCP |
| 2024-09-29T01:01:50.489712+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.9 | 49714 | 194.233.88.151 | 80 | TCP |
| 2024-09-29T01:01:51.627546+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.9 | 49714 | 194.233.88.151 | 80 | TCP |
| 2024-09-29T01:01:56.601784+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.9 | 49716 | 194.233.88.151 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0301CD58 | |
| Source: | Code function: | 0_2_0301CD58 | |
| Source: | Code function: | 0_2_0301CB0C | |
| Source: | Code function: | 0_2_0301CB0C | |
| Source: | Code function: | 5_2_0EEF23D8 | |
| Source: | Code function: | 5_2_0EEF23D8 | |
| Source: | Code function: | 5_2_0EEF23CF | |
| Source: | Code function: | 5_2_0EEF23CF | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||