Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 6644 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 2C93AA1938A5477FA1311BA6571E255E) - conhost.exe (PID: 4324 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Code function: | 0_2_00007FF712961804 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF7129619AC | |
Source: | Code function: | 0_2_00007FF712961804 |
Source: | Code function: | 0_2_00007FF7129616E4 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1524395 |
Start date and time: | 2024-10-02 18:41:56 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 39s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | CLEAN |
Classification: | clean2.winEXE@2/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target file.exe, PID 6644 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: file.exe
File type: | |
Entropy (8bit): | 6.521688004763868 |
TrID: |
|
File name: | file.exe |
File size: | 23'712 bytes |
MD5: | 2c93aa1938a5477fa1311ba6571e255e |
SHA1: | 6729ce9157110a2fc33230c99ad7ff04f3fb9da2 |
SHA256: | 3de11905d85b52f73b787d7360742e9f1b2b70fe5d6a3e812fcec8fe00211f09 |
SHA512: | ff4c09dc5a131d0592a1d525b8ba24b0afcdf16dc17410400d3deeccd8a02c4e779a32097b4c4135cb9f5566aa799bf76556abf4ee6c24267cdde222d1986a37 |
SSDEEP: | 384:ujk+VCAP6UWrcGRlCBbF+LBefPIYieTFhO0erPxh8E9VF0Ny3Va:unV9P8gGR2FaofwYiUFerPxWEVM |
TLSH: | 53B27C19DAB40C56E8034570BAF50A67EE797A93A9D283DF731D81006F4178277AA3FC |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(%..lDn.lDn.lDn.e<..`Dn.>,o.nDn.7,o.nDn.>,k.}Dn.>,j.eDn.>,m.mDn..-o.oDn.lDo.XDn..-j.mDn..-..mDn..-l.mDn.RichlDn................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x14000141c |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x63BBD4D3 [Mon Jan 9 08:48:19 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 0ba39925cc55187335fdc1a6bb929fef |
Signature Valid: | true |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 2876C1BECB51837D0E3DE50903D025B6 |
Thumbprint SHA-1: | 940D69C0A34A1B4CFD8048488BA86F4CED60481A |
Thumbprint SHA-256: | EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1 |
Serial: | 068BE2F53452C882F18ED41A5DD4E7A3 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F2B88ED64F4h |
dec eax |
add esp, 28h |
jmp 00007F2B88ED60A7h |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007F2B88ED69E4h |
test eax, eax |
je 00007F2B88ED6253h |
dec eax |
mov eax, dword ptr [00000030h] |
dec eax |
mov ecx, dword ptr [eax+08h] |
jmp 00007F2B88ED6237h |
dec eax |
cmp ecx, eax |
je 00007F2B88ED6246h |
xor eax, eax |
dec eax |
cmpxchg dword ptr [00001C1Ch], ecx |
jne 00007F2B88ED6220h |
xor al, al |
dec eax |
add esp, 28h |
ret |
mov al, 01h |
jmp 00007F2B88ED6229h |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
movzx eax, byte ptr [00001C07h] |
test ecx, ecx |
mov ebx, 00000001h |
cmove eax, ebx |
mov byte ptr [00001BF7h], al |
call 00007F2B88ED6813h |
call 00007F2B88ED6556h |
test al, al |
jne 00007F2B88ED6236h |
xor al, al |
jmp 00007F2B88ED6246h |
call 00007F2B88ED6549h |
test al, al |
jne 00007F2B88ED623Bh |
xor ecx, ecx |
call 00007F2B88ED653Eh |
jmp 00007F2B88ED621Ch |
mov al, bl |
dec eax |
add esp, 20h |
pop ebx |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 40h |
cmp byte ptr [00001BBCh], 00000000h |
mov ebx, ecx |
jne 00007F2B88ED62E6h |
cmp ecx, 01h |
ja 00007F2B88ED62E5h |
call 00007F2B88ED6942h |
test eax, eax |
je 00007F2B88ED625Ah |
test ebx, ebx |
jne 00007F2B88ED6256h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2854 | 0xc8 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5000 | 0xa5c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x4000 | 0x138 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x3400 | 0x28a0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6000 | 0x2c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x22f0 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2350 | 0x100 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x1c0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xce8 | 0xe00 | 4e0e03b227e42284f32849a6b8ff6498 | False | 0.6169084821428571 | data | 5.7324283734757415 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x2000 | 0xf76 | 0x1000 | e6791ca96e7cd0a8270aed3c7b457b6c | False | 0.400146484375 | data | 4.244671041569124 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x3000 | 0xf8 | 0x200 | 33ad04fc097a367db2c48e38a854e371 | False | 0.126953125 | data | 0.8099540210640013 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x4000 | 0x138 | 0x200 | bab77f70d7190a079e4f344457886936 | False | 0.37890625 | data | 2.494976591004372 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x5000 | 0xa5c | 0xc00 | 8b26e4a21b92ce718a041aa44e902279 | False | 0.3766276041666667 | data | 5.259153425612755 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x6000 | 0x2c | 0x200 | 501403d6e5cc245c7b62f683f608919f | False | 0.11328125 | data | 0.5516936010267239 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x50a0 | 0x33c | data | 0.4613526570048309 | ||
RT_MANIFEST | 0x53dc | 0x67f | exported SGML document, ASCII text | English | United States | 0.423331328923632 |
DLL | Import |
---|---|
jli.dll | JLI_GetStdArgc, JLI_GetStdArgs, JLI_Launch, JLI_MemAlloc, JLI_CmdToArgs |
KERNEL32.dll | RtlCaptureContext, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetModuleHandleW, IsProcessorFeaturePresent, IsDebuggerPresent, GetCommandLineA, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlVirtualUnwind, RtlLookupFunctionEntry |
VCRUNTIME140.dll | __C_specific_handler, memset |
api-ms-win-crt-stdio-l1-1-0.dll | __p__commode, _set_fmode, __acrt_iob_func, __stdio_common_vfprintf |
api-ms-win-crt-runtime-l1-1-0.dll | __p___argv, _crt_atexit, _seh_filter_exe, _set_app_type, __p___argc, _configure_narrow_argv, terminate, _get_initial_narrow_environment, _initterm, _initterm_e, exit, _exit, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _initialize_narrow_environment, _register_onexit_function, _initialize_onexit_table |
api-ms-win-crt-environment-l1-1-0.dll | getenv |
api-ms-win-crt-math-l1-1-0.dll | __setusermatherr |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
api-ms-win-crt-heap-l1-1-0.dll | _set_new_mode |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 2, 2024 18:43:31.784414053 CEST | 53 | 58017 | 162.159.36.2 | 192.168.2.5 |
Oct 2, 2024 18:43:32.307030916 CEST | 53 | 56191 | 1.1.1.1 | 192.168.2.5 |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 12:42:45 |
Start date: | 02/10/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff712960000 |
File size: | 23'712 bytes |
MD5 hash: | 2C93AA1938A5477FA1311BA6571E255E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 12:42:45 |
Start date: | 02/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Function 00007FF7129619AC Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF712961008 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 79memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|