Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1521609
MD5:	9d958b1b7187937c564f3a9e1c2f3541
SHA1:	93022628e0119f86c3571dc8e585b37bb46cfc0e
SHA256:	02773e1e5b99fb93addb1bb5278cf5e969127dd8b18a301dc5f556985f630193
Tags:	exex64user-jstrosch
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

PE file contains section with special chars

Creates a DirectInput object (often for capturing keystrokes)

Entry point lies outside standard sections

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6280 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9D958B1B7187937C564F3A9E1C2F3541)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: file.exe

Static PE information: certificate valid

Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe	String found in binary or memory: http://www.cabal.com0/
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0

Source: file.exe

Binary or memory string: DirectInput8Create

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:

Source: file.exe

Static PE information: Number of sections : 11 > 10

Source: file.exe, 00000000.00000002.2922449901.00000001412FF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSnake.exeD vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSnake.exeD vs file.exe

Source: classification engine

Classification label: sus23.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3dx9_43.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: libogg.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: libvorbis.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fmod64.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: file.exe

Static PE information: certificate valid

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 10156848 > 1048576

Source: file.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x47ca00
Source: file.exe	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x415a00

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .themida
Source: file.exe	Static PE information: section name: .boot

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B103 push rdx; retf	0_2_000000014127B10E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127A54E push rdi; retf	0_2_000000014127A556
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141279955 push FFFFFFE8h; retf	0_2_000000014127995A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127BD27 push rsp; retf	0_2_000000014127BD36
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127A92D push rdx; retf	0_2_000000014127A92E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141278588 push rdi; ret	0_2_000000014127858E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127998B push rdi; retf	0_2_000000014127999A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141279961 push rcx; retf	0_2_0000000141279962
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141277D75 push rdi; retf	0_2_0000000141277D76
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B571 push rdi; retf	0_2_000000014127B572
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001412771C3 push rdi; retf	0_2_00000001412771C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127BDCF push FFFFFFA8h; ret	0_2_000000014127BDD6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127A1A3 pushfq ; ret	0_2_000000014127A1A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127BDB7 pushfq ; ret	0_2_000000014127BDBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141277DC0 push rdi; retf	0_2_0000000141277DC1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127A3E5 push rax; retf	0_2_000000014127A3E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B7E9 push rdi; retf	0_2_000000014127B7EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B43B push D74EDD55h; retf	0_2_000000014127B441
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127886C pushfq ; ret	0_2_0000000141278886
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127907B push rax; retf	0_2_0000000141279082
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001412794CF push rcx; retf	0_2_00000001412794DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B0D7 push rdi; retf	0_2_000000014127B0E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001412770D3 push FFFFFF85h; retf	0_2_00000001412770E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127A712 push rcx; retf	0_2_000000014127A716
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001412776FF push rdi; retf	0_2_0000000141277702
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141278F4E push rbp; ret	0_2_0000000141278F4F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141278F55 push rdx; retf	0_2_0000000141278F82
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127AB55 push rbx; ret	0_2_000000014127AB56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B35D push rdx; retf	0_2_000000014127B35E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127AB35 push rcx; retf	0_2_000000014127AB3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127BF39 push rdx; retf	0_2_000000014127BF42

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	1 Input Capture	1 System Information Discovery	Remote Services	1 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.cabal.com0/	file.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521609
Start date and time:	2024-09-29 01:06:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	SUS
Classification:	sus23.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 6280 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.985872838106877
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	10'156'848 bytes
MD5:	9d958b1b7187937c564f3a9e1c2f3541
SHA1:	93022628e0119f86c3571dc8e585b37bb46cfc0e
SHA256:	02773e1e5b99fb93addb1bb5278cf5e969127dd8b18a301dc5f556985f630193
SHA512:	e45e53120589adb685b4142e47bedd45bc6d8d0e34b67b3e081aab681a30ab1dc27d5767c702842ff6268735b3b1f1dc1f9935f9628ed3f0bdaddc147f7ee9b5
SSDEEP:	196608:bfLVWfspDtlxWa7/NhQLf+45PNEbYCELNJsCZkRbM6rXdN+NZeloyodUpY:PAsDtlVNh+PNJ/RP+xpjyGpgb
TLSH:	43A6331647683DA3ECCB09F995F0E461165B1B884DA06DBEA6973CF72D5F001ABCE48C
File Content Preview:	MZ......................@...................................x...........!..L.!This program cannot be run in DOS mode....$........................................\|}.....................Dmf..............2q....................................................

File Icon


Icon Hash:	4f072b0d2d33050f

Static PE Info

General

Entrypoint:	0x1419da058
Entrypoint Section:	.boot
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:	0x66DF97E9 [Tue Sep 10 00:50:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	46f08dad0fe65de8b9bb7e3676c8e397

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	07/02/2024 00:00:00 25/03/2026 23:59:59
Subject Chain	CN=ESTgames Corp., O=ESTgames Corp., L=Seocho-gu, S=Seoul, C=KR
Version:	3
Thumbprint MD5:	AC5AB13D33755EBBEB45C3EA2D4FABDD
Thumbprint SHA-1:	DB4545F4F6F51A55C4F6C2DDAE49A476A9A6C02B
Thumbprint SHA-256:	F967C9BB12C539DB91FA4BF618BDEC5BC9959716FD36EA14F4BF2F8AD8059763
Serial:	095A199BF2065A7B5C44A6093BA2322D

Entrypoint Preview

Instruction
call 00007F9AF92698F7h
inc ecx
push edx
dec ecx
mov edx, esp
inc ecx
push edx
dec ecx
mov esi, dword ptr [edx+10h]
dec ecx
mov edi, dword ptr [edx+20h]
cld
mov dl, 80h
mov al, byte ptr [esi]
dec eax
inc esi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007F9AF9269779h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F9AF9269756h
add dl, dl
jne 00007F9AF9269779h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F9AF92697D0h
xor eax, eax
add dl, dl
jne 00007F9AF9269779h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F9AF9269878h
add dl, dl
jne 00007F9AF9269779h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F9AF9269779h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F9AF9269779h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F9AF9269779h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
je 00007F9AF926977Bh
push edi
mov eax, eax
dec eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
jmp 00007F9AF92696FAh
mov eax, 00000001h
add dl, dl
jne 00007F9AF9269779h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F9AF9269779h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jc 00007F9AF9269758h
sub eax, ebx
mov ebx, 00000001h
jne 00007F9AF92697A0h
mov ecx, 00000001h

Rich Headers

Programming Language:

[IMP] VS2012 UPD4 build 61030
[IMP] VS2005 build 50727
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12fd2c4	0x358	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12ff000	0x4f20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1930a2c	0x7f2f0	.themida
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9ad200	0x2930
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x12fe018	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0xb1fb54	0x47ca00	0b5c5fa715ee65f401908252f3413c23	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0xb21000	0x263b28	0xb8600	5ae9a83b9c8a0923211eaa28d632a732	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xd85000	0x4f1510	0x9400	5778f03dad6bc574d5a9d2519e2e18c4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x1277000	0x7f2d8	0x50200	553dc38a7a460a6474b2b2f633d4ba4f	False	0.9502425409516381	data	7.610813716335416	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x12f7000	0x94	0x200	177b1840f39f637bb80cab0164d9b175	False	0.87109375	data	6.201769694338365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x12f8000	0x4f78	0x3000	5c115ee8007af39fbe7ecab381814164	False	0.966552734375	data	7.85492178904316	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x12fd000	0x1000	0x800	df46b5b20f59d45bab9d66427015eb70	False	0.33447265625	data	3.4655979529148304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x12fe000	0x1000	0x200	2850e14769b1d98d01edea1e48b35b9c	False	0.0625	data	0.28456851570206254	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12ff000	0x5000	0x5000	a469833a922582e2db54b2d39f3947c8	False	0.5798828125	data	6.049390747037397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida	0x1304000	0x6d6000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x19da000	0x415a00	0x415a00	bfaf92c3747689bef61b7534c0d7fe42	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12ff180	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.8429602888086642
RT_ICON	0x12ffa38	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.6755780346820809
RT_ICON	0x12fffb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.553941908713693
RT_ICON	0x1302568	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.6463414634146342
RT_ICON	0x1303620	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.4104609929078014
RT_GROUP_ICON	0x1303a98	0x4c	data	English	United States	0.7631578947368421
RT_VERSION	0x1303af4	0x290	MS Windows COFF PA-RISC object file	Korean	North Korea	0.5060975609756098
RT_VERSION	0x1303af4	0x290	MS Windows COFF PA-RISC object file	Korean	South Korea	0.5060975609756098
RT_MANIFEST	0x1303d94	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
DINPUT8.dll	DirectInput8Create
d3dx9_43.dll	D3DXSaveSurfaceToFileInMemory
d3d9.dll	Direct3DCreate9
WINMM.dll	waveOutClose
IMM32.dll	ImmSetOpenStatus
VERSION.dll	VerQueryValueA
urlmon.dll	URLDownloadToFileA
WININET.dll	InternetOpenA
USER32.dll	LoadIconA
GDI32.dll	AddFontResourceA
ADVAPI32.dll	RegOpenKeyExA
SHELL32.dll	ShellExecuteA
ole32.dll	OleLockRunning
OLEAUT32.dll	SysStringLen
SHLWAPI.dll	PathFileExistsA
WS2_32.dll	bind
MSWSOCK.dll	AcceptEx
WINHTTP.dll	WinHttpCloseHandle
imagehlp.dll	CheckSumMappedFile
libogg.dll	ogg_stream_packetin
libvorbis.dll	vorbis_analysis_buffer
fmod64.dll	?getNumChannels@ChannelGroup@FMOD@@QEAA?AW4FMOD_RESULT@@PEAH@Z

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Korean	North Korea
Korean	South Korea

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 01:07:12.472438097 CEST	53	58844	1.1.1.1	192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: file.exePID: 6280, Parent PID: 2580

General

Target ID:	0
Start time:	19:06:49
Start date:	28/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x140000000
File size:	10'156'848 bytes
MD5 hash:	9D958B1B7187937C564F3A9E1C2F3541
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: file.exePID: 6280, Parent PID: 2580

General

Chronological Activities

Disassembly

Windows Analysis Report
file.exe