Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 1248 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 54E94A67FA679A5F2335C604E09A8AFA) - conhost.exe (PID: 5748 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Code function: | 0_2_00007FF67A811804 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF67A811804 | |
Source: | Code function: | 0_2_00007FF67A8119AC |
Source: | Code function: | 0_2_00007FF67A8116E4 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1524252 |
Start date and time: | 2024-10-02 17:26:18 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | CLEAN |
Classification: | clean2.winEXE@2/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target file.exe, PID 1248 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: file.exe
File type: | |
Entropy (8bit): | 6.523499848677671 |
TrID: |
|
File name: | file.exe |
File size: | 23'712 bytes |
MD5: | 54e94a67fa679a5f2335c604e09a8afa |
SHA1: | 175e245c65c81b22a51fabdeb56e7124ad984336 |
SHA256: | cf27c1d28f17b7a6e22675571155514674a38b4b661ac768bc6dd7e4482928ff |
SHA512: | c412391a3b059ed618b5a843ea1b7ba76d192bd2a6f83eaecededb9f800cfad874d4e9cfb288c89dd712a626a1a69be767b2a720791a0a0b6105ce4ba10a2544 |
SSDEEP: | 384:xjk+VCgP6UMDxGxhBbFznTefHIYieTFhO0bnzPxh8E9VF0NyvyRrk:xnVtPCoNFLSfoYiUFXPxWExyi |
TLSH: | 0EB27D1A8AB10C95E8170570BAE54A67EA797A57BAD283DF331DC0106F4174237AA3FC |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(%..lDn.lDn.lDn.e<..`Dn.>,o.nDn.7,o.nDn.>,k.}Dn.>,j.eDn.>,m.mDn..-o.oDn.lDo.XDn..-j.mDn..-..mDn..-l.mDn.RichlDn................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x14000141c |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x63BBD4D3 [Mon Jan 9 08:48:19 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 0ba39925cc55187335fdc1a6bb929fef |
Signature Valid: | true |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 2876C1BECB51837D0E3DE50903D025B6 |
Thumbprint SHA-1: | 940D69C0A34A1B4CFD8048488BA86F4CED60481A |
Thumbprint SHA-256: | EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1 |
Serial: | 068BE2F53452C882F18ED41A5DD4E7A3 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F88CCFAFFC4h |
dec eax |
add esp, 28h |
jmp 00007F88CCFAFB77h |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007F88CCFB04B4h |
test eax, eax |
je 00007F88CCFAFD23h |
dec eax |
mov eax, dword ptr [00000030h] |
dec eax |
mov ecx, dword ptr [eax+08h] |
jmp 00007F88CCFAFD07h |
dec eax |
cmp ecx, eax |
je 00007F88CCFAFD16h |
xor eax, eax |
dec eax |
cmpxchg dword ptr [00001C1Ch], ecx |
jne 00007F88CCFAFCF0h |
xor al, al |
dec eax |
add esp, 28h |
ret |
mov al, 01h |
jmp 00007F88CCFAFCF9h |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
movzx eax, byte ptr [00001C07h] |
test ecx, ecx |
mov ebx, 00000001h |
cmove eax, ebx |
mov byte ptr [00001BF7h], al |
call 00007F88CCFB02E3h |
call 00007F88CCFB0026h |
test al, al |
jne 00007F88CCFAFD06h |
xor al, al |
jmp 00007F88CCFAFD16h |
call 00007F88CCFB0019h |
test al, al |
jne 00007F88CCFAFD0Bh |
xor ecx, ecx |
call 00007F88CCFB000Eh |
jmp 00007F88CCFAFCECh |
mov al, bl |
dec eax |
add esp, 20h |
pop ebx |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 40h |
cmp byte ptr [00001BBCh], 00000000h |
mov ebx, ecx |
jne 00007F88CCFAFDB6h |
cmp ecx, 01h |
ja 00007F88CCFAFDB5h |
call 00007F88CCFB0412h |
test eax, eax |
je 00007F88CCFAFD2Ah |
test ebx, ebx |
jne 00007F88CCFAFD26h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x286c | 0xc8 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5000 | 0xa70 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x4000 | 0x138 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x3400 | 0x28a0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6000 | 0x2c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2300 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2360 | 0x100 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x1c0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xce8 | 0xe00 | ec63b0266abfa1ceef2218c9dafaf95d | False | 0.6166294642857143 | data | 5.730022764585349 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x2000 | 0xf8e | 0x1000 | 192a81cbba0f0d4e815c0d185e688703 | False | 0.399658203125 | data | 4.2498046670945175 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x3000 | 0xf8 | 0x200 | dbfb0553a3de534249a6d992a84b3dba | False | 0.126953125 | data | 0.8099540210640013 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x4000 | 0x138 | 0x200 | 829f07599a7fe1df4efe2b0d5b0bb6b7 | False | 0.380859375 | data | 2.471620513691712 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x5000 | 0xa70 | 0xc00 | c0f2f616bc520746e33ab514f59a0d51 | False | 0.3785807291666667 | data | 5.249395226292878 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x6000 | 0x2c | 0x200 | fd5fa55ab24640599a87db768d60f4e6 | False | 0.11328125 | data | 0.5555998510267239 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x50a0 | 0x34c | data | 0.4585308056872038 | ||
RT_MANIFEST | 0x53ec | 0x682 | exported SGML document, ASCII text | English | United States | 0.42316926770708285 |
DLL | Import |
---|---|
jli.dll | JLI_GetStdArgc, JLI_GetStdArgs, JLI_Launch, JLI_MemAlloc, JLI_CmdToArgs |
KERNEL32.dll | RtlCaptureContext, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetModuleHandleW, IsProcessorFeaturePresent, IsDebuggerPresent, GetCommandLineA, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlVirtualUnwind, RtlLookupFunctionEntry |
VCRUNTIME140.dll | __C_specific_handler, memset |
api-ms-win-crt-stdio-l1-1-0.dll | __p__commode, _set_fmode, __acrt_iob_func, __stdio_common_vfprintf |
api-ms-win-crt-runtime-l1-1-0.dll | __p___argv, _crt_atexit, _seh_filter_exe, _set_app_type, __p___argc, _configure_narrow_argv, terminate, _get_initial_narrow_environment, _initterm, _initterm_e, exit, _exit, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _initialize_narrow_environment, _register_onexit_function, _initialize_onexit_table |
api-ms-win-crt-environment-l1-1-0.dll | getenv |
api-ms-win-crt-math-l1-1-0.dll | __setusermatherr |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
api-ms-win-crt-heap-l1-1-0.dll | _set_new_mode |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 11:27:55 |
Start date: | 02/10/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff67a810000 |
File size: | 23'712 bytes |
MD5 hash: | 54E94A67FA679A5F2335C604E09A8AFA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 11:27:55 |
Start date: | 02/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff68cce0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Function 00007FF67A8119AC Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF67A811008 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 79memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|