Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522708
MD5:	30b8e89d006911aedd4ddd9f199cea4b
SHA1:	fdb6adf5fee95333a5f0811249ef35a9b0a6a5a4
SHA256:	2315b5fa9423d0538154c84333a95d3fcea5011f9fb3b1585608b3ffcd70d4ca
Tags:	exeuser-jstrosch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Enables debug privileges

Found evasive API chain (may stop execution after accessing registry keys)

PE file contains executable resources (Code or Archives)

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3468 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 30B8E89D006911AEDD4DDD9F199CEA4B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 73%

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: file.exe	Static PE information: Resource name: IDR_BINARY type: PE32 executable (console) Intel 80386, for MS Windows
Source: file.exe	Static PE information: Resource name: IDR_BINARY type: PE32 executable (console) Intel 80386, for MS Windows

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401170 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_00401170

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004014C0 GetModuleHandleA,FindResourceA,SizeofResource,LoadResource,LockResource,??2@YAPAXI@Z,memset,memcpy,FreeResource,

0_2_004014C0

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\file.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401F71 push ecx; ret

0_2_00401F84

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_0-337
Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep			graph_0-338

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401740 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

0_2_00401740

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401740 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,		0_2_00401740
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401CA3 SetUnhandledExceptionFilter,		0_2_00401CA3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401FD8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00401FD8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	74%	ReversingLabs	Win32.Downloader.Small
file.exe	100%	Avira	TR/Dropper.Gen

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522708
Start date and time:	2024-09-30 15:47:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal56.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
VT rate limit hit for: file.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	1.4518192204256555
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	148'480 bytes
MD5:	30b8e89d006911aedd4ddd9f199cea4b
SHA1:	fdb6adf5fee95333a5f0811249ef35a9b0a6a5a4
SHA256:	2315b5fa9423d0538154c84333a95d3fcea5011f9fb3b1585608b3ffcd70d4ca
SHA512:	022eaffd80029c29b110967cb2ee7df50bee5544a64b6ccb4e71ded5f968e0abcdb4d048a6dbf81a89a5548e90d6b8ba021e60c76ddf1ee784c87fd76b296fed
SSDEEP:	384:YsjQQs+IoTeJ5hv4UCYte0I+eTUsRZXvXshycJuOCqzGGd:YsMQs+IZHfM0xeTUiXUxJuOdV
TLSH:	E8E3190AFE4A8073EB4904704ABB87728679AD9237992DD3F7A03D5D1E712E4D4370AD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>l..z...z...z...suL.x...suJ.y...su\.o...]...}...z.../...su[.~...d_K.{...suN.{...Richz...................PE..L...Y2.d...........

File Icon


Icon Hash:	498a80a2a2808241

Static PE Info

General

Entrypoint:	0x401b51
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64B63259 [Tue Jul 18 06:34:01 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f85297283baf098bf5fa8be9bc88cd5b

Entrypoint Preview

Instruction
call 00007F464906CBF7h
jmp 00007F464906C4ABh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00404470h], eax
mov dword ptr [0040446Ch], ecx
mov dword ptr [00404468h], edx
mov dword ptr [00404464h], ebx
mov dword ptr [00404460h], esi
mov dword ptr [0040445Ch], edi
mov word ptr [00404488h], ss
mov word ptr [0040447Ch], cs
mov word ptr [00404458h], ds
mov word ptr [00404454h], es
mov word ptr [00404450h], fs
mov word ptr [0040444Ch], gs
pushfd
pop dword ptr [00404480h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00404474h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00404478h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00404484h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004043C0h], 00010001h
mov eax, dword ptr [00404478h]
mov dword ptr [00404374h], eax
mov dword ptr [00404368h], C0000409h
mov dword ptr [0040436Ch], 00000001h
mov eax, dword ptr [0040410Ch]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00404110h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000074h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x330c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5000	0x221a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3240	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x134	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x109e	0x1200	a323d1870bf955f6e83fd80636efeb6f	False	0.5785590277777778	data	5.873972334424002	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x998	0xa00	2e7815fccb03737f51647a97e4a041a2	False	0.4890625	data	5.09436216768118	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x6b8	0x200	2c40a5d907f5823b371fac7ff96cef07	False	0.12109375	data	0.866880996983977	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5000	0x221a8	0x22200	64cede2f11823ce74fa297697e08e32c	False	0.06317965888278389	data	1.1215357378185524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
IDR_BINARY	0x51c0	0x21800	PE32 executable (console) Intel 80386, for MS Windows	Korean	North Korea	0.06217204990671642
IDR_BINARY	0x51c0	0x21800	PE32 executable (console) Intel 80386, for MS Windows	Korean	South Korea	0.06217204990671642
RT_ICON	0x269c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Korean	North Korea	0.15994623655913978
RT_ICON	0x269c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Korean	South Korea	0.15994623655913978
RT_ICON	0x26ca8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Korean	North Korea	0.3344594594594595
RT_ICON	0x26ca8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Korean	South Korea	0.3344594594594595
RT_GROUP_ICON	0x26dd0	0x22	data	Korean	North Korea	1.0
RT_GROUP_ICON	0x26dd0	0x22	data	Korean	South Korea	1.0
RT_VERSION	0x26df4	0x150	data	Korean	North Korea	0.5357142857142857
RT_VERSION	0x26df4	0x150	data	Korean	South Korea	0.5357142857142857
RT_MANIFEST	0x26f44	0x261	ASCII text, with CRLF line terminators	English	United States	0.5139573070607554

Imports

DLL	Import
KERNEL32.dll	GetCurrentProcess, Sleep, GetLastError, LockResource, LoadResource, SizeofResource, FindResourceA, GetModuleHandleA, GetSystemDirectoryA, GetWindowsDirectoryA, CreateFileA, SystemTimeToFileTime, LocalFileTimeToFileTime, SetFileTime, CloseHandle, FreeResource, SetFileAttributesA, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoA, InterlockedCompareExchange, InterlockedExchange, GetSystemTimeAsFileTime
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA
MSVCR90.dll	fclose, fwrite, remove, ??3@YAXPAX@Z, memcpy, ??2@YAPAXI@Z, _amsg_exit, __getmainargs, _cexit, _exit, _XcptFilter, _ismbblead, exit, _acmdln, _initterm, _initterm_e, _configthreadlocale, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, _encode_pointer, __set_app_type, _crt_debugger_hook, ?terminate@@YAXXZ, _unlock, __dllonexit, _lock, _onexit, _decode_pointer, _except_handler4_common, _invoke_watson, _controlfp_s, strlen, memset, strcpy, strcat, fopen

Possible Origin

Language of compilation system	Country where language is spoken	Map
Korean	North Korea
Korean	South Korea
English	United States

Target ID:	0
Start time:	09:48:26
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	148'480 bytes
MD5 hash:	30B8E89D006911AEDD4DDD9F199CEA4B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15%
Total number of Nodes:	120
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401170 Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0040117C
OpenProcessToken.ADVAPI32(00000000), ref: 00401183
LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 0040119B

Memory Dump Source

Source File: 00000000.00000002.1416261030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1416247807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416274285.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process$CurrentLookupOpenPrivilegeTokenValue
String ID:
API String ID: 3639550587-0
Opcode ID: 30c9963ba618fa52c3a8f775123ca6cb3761b665c3ea739b1d66e81ebafda1ad
Instruction ID: 998d7c9e2814b39a41d7b37a21ee775764381e945c35df4ca51bea2cf094bd05
Opcode Fuzzy Hash: 30c9963ba618fa52c3a8f775123ca6cb3761b665c3ea739b1d66e81ebafda1ad
Instruction Fuzzy Hash: 66116970A04209EFEB14CFA4CD09BBF7B78EB48705F104579E611FA2D1E3789A409B69

Function 00401210 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 149
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(80000002,00404008,00000000,000F003F,?), ref: 00401278
RegQueryValueExA.ADVAPI32(?,00403170,00000000,00000000,00000000,00000004), ref: 004012A5
RegCloseKey.ADVAPI32(00000000), ref: 004013CB

Strings

|1@, xrefs: 0040133A, 0040133D
p1@, xrefs: 00401255
d1@, xrefs: 0040125C

Memory Dump Source

Source File: 00000000.00000002.1416261030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1416247807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416274285.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: d1@$p1@$|1@
API String ID: 3677997916-378692078
Opcode ID: ec7549cc1f4e5f5e2f07d63bb0c984c19093e9b91ae5221d41fa6ef9fdbfecf9
Instruction ID: 893a0ac62731b324bd3a9d2f5ad13b95aaff6f4a6558c3fb8cb222fd0d76b42d
Opcode Fuzzy Hash: ec7549cc1f4e5f5e2f07d63bb0c984c19093e9b91ae5221d41fa6ef9fdbfecf9
Instruction Fuzzy Hash: F9510DB1A00208BBDB04DFD5DD85FAFBBB9AB48705F104129F701B7290D775AA44CBA9

Non-executed Functions

Function 00401740 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 00401C16
_crt_debugger_hook.MSVCR90(00000001), ref: 00401C23
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00401C2B
UnhandledExceptionFilter.KERNEL32(hC@), ref: 00401C36
_crt_debugger_hook.MSVCR90(00000001), ref: 00401C47
GetCurrentProcess.KERNEL32(C0000409), ref: 00401C52
TerminateProcess.KERNEL32(00000000), ref: 00401C59

Strings

hC@, xrefs: 00401C31

Memory Dump Source

Source File: 00000000.00000002.1416261030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1416247807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416274285.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID: hC@
API String ID: 3369434319-336404188
Opcode ID: d2139c2bed3175849152e0283c94030944e0fbb0075a10b5a01347a936d41015
Instruction ID: 2aedcaec97bcce6a99d89d9630b336f12a62c9d0ada6259affbba3e18127f102
Opcode Fuzzy Hash: d2139c2bed3175849152e0283c94030944e0fbb0075a10b5a01347a936d41015
Instruction Fuzzy Hash: AC21EDF4901300DBD740EF65FB88B043BA8BB98305F11503AEA08B72A1E7B45985CF1D

Function 004014C0 Relevance: 13.6, APIs: 9, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 004014DE
FindResourceA.KERNEL32(00000000,?,00000000), ref: 004014F3
SizeofResource.KERNEL32(00000000,00000000), ref: 00401514
LoadResource.KERNEL32(00000000,00000000), ref: 00401525
LockResource.KERNEL32(00000000), ref: 00401532
??2@YAPAXI@Z.MSVCR90(00000000), ref: 00401567
memset.MSVCR90 ref: 00401582
memcpy.MSVCR90(00000000,?,?), ref: 00401596
FreeResource.KERNEL32(00000000), ref: 004015A2

Memory Dump Source

Source File: 00000000.00000002.1416261030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1416247807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416274285.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Resource$??2@FindFreeHandleLoadLockModuleSizeofmemcpymemset
String ID:
API String ID: 4215054063-0
Opcode ID: d6cb9ad8b6f2c82266df92b3db8533be16e97b5d77abb176b134746c45d7bd50
Instruction ID: df105d28d21e45a39e91148c8c33ceea9311091b1e7759c0afe5b158f5e0ef7c
Opcode Fuzzy Hash: d6cb9ad8b6f2c82266df92b3db8533be16e97b5d77abb176b134746c45d7bd50
Instruction Fuzzy Hash: 5C31E8B5D01209EFDB04DFE8D885BAEBBB9AB8C301F108569E615B7344D7389A41CF94

Function 00401CA3 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001C61), ref: 00401CA8

Memory Dump Source

Source File: 00000000.00000002.1416261030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1416247807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416274285.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 08ec4937f47bae8683846ebde575daac0604b6a6c75c2f286ef2326a66856219
Instruction ID: 7234e5cda294511fdcd36ee1e6d9db052cbb61cd1d76709f3e0e54ebb73451d1
Opcode Fuzzy Hash: 08ec4937f47bae8683846ebde575daac0604b6a6c75c2f286ef2326a66856219
Instruction Fuzzy Hash: BC9002A0A9610056E6001F706D4E90529945B8C71375544716005E40A9DA7481446559

Function 004015C0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 92
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 004015EF
memset.MSVCR90 ref: 0040160C
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 00401630
strcpy.MSVCR90(00000000,00000000), ref: 00401644
strcat.MSVCR90(00000000,00403150), ref: 00401658
strcat.MSVCR90(00000000,g0A@), ref: 0040166B
strcpy.MSVCR90(00000000,g0A@), ref: 00401680
??3@YAXPAX@Z.MSVCR90(?), ref: 0040170F

Strings

0A@, xrefs: 004016A8, 004016AB
IDR_BINARY, xrefs: 004016A3
g0A@, xrefs: 00401675, 00401660, 00401663, 00401678

Memory Dump Source

Source File: 00000000.00000002.1416261030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1416247807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416274285.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: memsetstrcatstrcpy$??3@DirectorySystem
String ID: 0A@$IDR_BINARY$g0A@
API String ID: 2709240578-1321134200
Opcode ID: 47786f9c9c327f481da938822c778ba72ac1167ad344305fd3850c6c522fb54e
Instruction ID: bd709673f432895d96053e7a1890aeb009925225cf4082008606cb9e1c208365
Opcode Fuzzy Hash: 47786f9c9c327f481da938822c778ba72ac1167ad344305fd3850c6c522fb54e
Instruction Fuzzy Hash: 023136B5D0021CABCB14DB50DC46BDD77786B18304F1445E9E60977290EAB99B84CF95

Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 64
timefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,02000000,00000000), ref: 0040101C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00401083
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00401091
SetFileTime.KERNEL32(000000FF,?,00000000,?), ref: 004010A5
CloseHandle.KERNEL32(000000FF), ref: 004010B2
SetFileAttributesA.KERNEL32(?,00000002), ref: 004010BE

Memory Dump Source

Source File: 00000000.00000002.1416261030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1416247807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416274285.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$Time$AttributesCloseCreateHandleLocalSystem
String ID:
API String ID: 3576422975-0
Opcode ID: eeea8958ef993b91b99b324b84ae3f0e56cc996f67890e8a31cbe156c994c08a
Instruction ID: d063f94e3047cbbeed53c7bf3acd63c479d462aef834abbec3f88782aa0c5c9f
Opcode Fuzzy Hash: eeea8958ef993b91b99b324b84ae3f0e56cc996f67890e8a31cbe156c994c08a
Instruction Fuzzy Hash: 1C213B75A10209ABEB00DFE4DC45BDEBB79EF48301F008528E605FB294E77997448B99

Function 004010D0 Relevance: 9.0, APIs: 6, Instructions: 40
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 004010DF
GetWindowsDirectoryA.KERNEL32(00404238,00000104), ref: 004010F1
memset.MSVCR90 ref: 00401103
strcpy.MSVCR90(00404130,00404238), ref: 00401115
strcat.MSVCR90(00404130,00403150), ref: 00401127
strcat.MSVCR90(00404130,?), ref: 0040113A

Part of subcall function 004015C0: memset.MSVCR90 ref: 004015EF
Part of subcall function 004015C0: memset.MSVCR90 ref: 0040160C
Part of subcall function 004015C0: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 00401630
Part of subcall function 004015C0: strcpy.MSVCR90(00000000,00000000), ref: 00401644
Part of subcall function 004015C0: strcat.MSVCR90(00000000,00403150), ref: 00401658
Part of subcall function 004015C0: strcat.MSVCR90(00000000,g0A@), ref: 0040166B
Part of subcall function 004015C0: ??3@YAXPAX@Z.MSVCR90(?), ref: 0040170F

Part of subcall function 00401000: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,02000000,00000000), ref: 0040101C

Memory Dump Source

Source File: 00000000.00000002.1416261030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1416247807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416274285.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: memsetstrcat$Directorystrcpy$??3@CreateFileSystemWindows
String ID:
API String ID: 183849647-0
Opcode ID: e933952b1df384473d573e8b326ce86ba299fe58b85d6d9e2cc82bf740734c5f
Instruction ID: 4063d0ca189c5dcc6b4344f68adf06086b410b5acec7dc23dcd36689976caf37
Opcode Fuzzy Hash: e933952b1df384473d573e8b326ce86ba299fe58b85d6d9e2cc82bf740734c5f
Instruction Fuzzy Hash: 9FF054F6BD130072E60076927C47F5A299407A8B9BF24003AFB897D2D6E8FA5594416F

Function 00401430 Relevance: 6.0, APIs: 4, Instructions: 44
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

remove.MSVCR90 ref: 0040144F
fopen.MSVCR90 ref: 00401461
fwrite.MSVCR90 ref: 00401485
fclose.MSVCR90 ref: 004014AE

Memory Dump Source

Source File: 00000000.00000002.1416261030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1416247807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416274285.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416287561.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: fclosefopenfwriteremove
String ID:
API String ID: 2674753510-0
Opcode ID: 716c65d952b59f682d3413fc4760727344e3253912c4af3e73e5ab98a8c089cb
Instruction ID: e33c1b30cdd4ba52c7a59279bc17ac0183760188e702159388b78ae8196fbdbe
Opcode Fuzzy Hash: 716c65d952b59f682d3413fc4760727344e3253912c4af3e73e5ab98a8c089cb
Instruction Fuzzy Hash: 77112D70D00208FFDB00DF94D949B9E7BB8AF44309F1481A9E9156B290D3799B54CF99

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: file.exePID: 3468, Parent PID: 4056

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 3468, Parent PID: 4056COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 00401170 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Control-flow Graph

Function 00401210 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 149registryCOMMON

Windows Analysis Report
file.exe

Function 00401170 Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Function 00401210 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 149
registryCOMMON

Function 00401740 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
COMMON

Function 004014C0 Relevance: 13.6, APIs: 9, Instructions: 83
COMMON

Function 004015C0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 92
stringCOMMON

Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 64
timefileCOMMON

Function 004010D0 Relevance: 9.0, APIs: 6, Instructions: 40
stringCOMMON

Function 00401430 Relevance: 6.0, APIs: 4, Instructions: 44
fileCOMMON