Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
_ISDel.exe

Overview

General Information

Sample name:_ISDel.exe
Analysis ID:1528053
MD5:130f6392e3c8c43773b1ca7737d0b8b0
SHA1:372d0412388d8d0c9cd7cb8ddeb175b21cbf7395
SHA256:1058834b08b4323ca825843e43c0687d687ac4fd40e667e90da56a58389bc32a

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
PE file has a writeable .text section
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • _ISDel.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\_ISDel.exe" MD5: 130F6392E3C8C43773B1CA7737D0B8B0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: _ISDel.exeAvira: detected
Machine Learning detection for sample
Source: _ISDel.exeJoe Sandbox ML: detected
Source: _ISDel.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

System Summary

barindex
PE file has a writeable .text section
Source: _ISDel.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: _ISDel.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\_ISDel.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: acspecfc.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: ddraw.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: dciman32.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: acwow64.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\_ISDel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
_ISDel.exe100%AviraTR/Crypt.XPACK.Gen
_ISDel.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1528053
Start date and time:2024-10-07 14:52:45 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 38s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:_ISDel.exe
Detection:MAL
Classification:mal56.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • VT rate limit hit for: _ISDel.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):4.858414870120262
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:_ISDel.exe
File size:32'256 bytes
MD5:130f6392e3c8c43773b1ca7737d0b8b0
SHA1:372d0412388d8d0c9cd7cb8ddeb175b21cbf7395
SHA256:1058834b08b4323ca825843e43c0687d687ac4fd40e667e90da56a58389bc32a
SHA512:cd211ed74e8765b906989e0801c666341e5903382266f9069e0e115922c24968b5d3613a50f2d76c0fed00007137e4425a0a231a0348acef9117a745aa749b55
SSDEEP:384:Z3wIA7GjPE6nnP9TDWsKAkk/fG8+lmQP+0JSfgyz5SiqsT6zg/7z:twIA7Q7tDUAdnemQVSfg9TsOzg/H
TLSH:86E29E53ADE54BB3F4E1A57491BABB38DB3B64130C760227E780D89B19362519C2932B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'~S.F...F...F...F...F...@...F...Z...F..Rich.F..........................PE..L.....66.................0...B...............@....@

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x4017c0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x363619C9 [Tue Oct 27 19:06:49 1998 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:af417a432744d25669a269c31c292485

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00404118h
push 00402A88h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
add esp, FFFFFFA8h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00404090h]
xor edx, edx
mov dl, ah
mov dword ptr [0040774Ch], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00407748h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00407744h], ecx
shr eax, 10h
mov dword ptr [00407740h], eax
call 00007F5F888E8699h
test eax, eax
jne 00007F5F888E756Ch
push 0000001Ch
call 00007F5F888E76CEh
add esp, 04h
mov dword ptr [ebp-04h], 00000000h
call 00007F5F888E847Fh
call 00007F5F888E846Ah
call dword ptr [0040408Ch]
mov dword ptr [004080B4h], eax
call 00007F5F888E7E1Ah
mov dword ptr [00407728h], eax
test eax, eax
je 00007F5F888E756Bh
mov eax, dword ptr [004080B4h]
test eax, eax
jne 00007F5F888E756Ch
push FFFFFFFFh
call 00007F5F888E76F1h
add esp, 04h
call 00007F5F888E7B49h
call 00007F5F888E7A54h
call 00007F5F888E76AFh
mov esi, dword ptr [004080B4h]
mov dword ptr [ebp-64h], esi
cmp byte ptr [esi], 00000022h
jne 00007F5F888E7624h

Rich Headers

Programming Language:
  • [RES] VS97 (5.0) SP3 cvtres 5.00.1668
  • [IMP] VS97 (5.0) SP3 link 5.10.7303

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x4a500x45.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x44580x3c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x90000x3e8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000x114.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2ed60x3000ac8e8bf42c06a903e38937f943da6a90False0.6163736979166666data6.353702069097776IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x40000xa950xc00a28858e104c8e9a771fe03bd5b70f53fFalse0.419921875data4.85236337043305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x50000x30b80x280037bee89f3cbe48891f6391c1ea1dcebaFalse0.0677734375data0.7369657740130013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x90000x16000x16004da44b4bd78c3a91900828f73bedbaf9False0.6938920454545454data6.091911273131719IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_STRING0x93b80x2cdataEnglishUnited States0.5
RT_VERSION0x90a00x318dataEnglishUnited States0.4532828282828283

Imports

DLLImport
KERNEL32.dllRemoveDirectoryA, DeleteFileA, GetWindowsDirectoryA, GetTickCount, CloseHandle, CreateFileA, SetErrorMode, GetPrivateProfileIntA, lstrcmpiA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetModuleHandleA, lstrcatA, lstrcpyA, UnhandledExceptionFilter, GetModuleFileNameA, GetProcAddress, VirtualAlloc, LoadLibraryA, GetStringTypeA, HeapAlloc, GetStringTypeW, LCMapStringW, LCMapStringA, HeapFree, RtlUnwind, VirtualFree, WriteFile, HeapDestroy, GetFileType, HeapCreate, GetLastError, SetCurrentDirectoryA, Sleep, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, GetEnvironmentStringsW, WideCharToMultiByte, FreeEnvironmentStringsA, MultiByteToWideChar, FreeEnvironmentStringsW, GetEnvironmentStrings, SetHandleCount, GetCPInfo, GetACP, GetOEMCP, GetStdHandle
USER32.dllCharNextA, DefWindowProcA, wsprintfA, IsWindow, RegisterWindowMessageA, SetTimer, PostQuitMessage, RegisterClassA, LoadIconA, LoadCursorA, GetMessageA, GetSystemMetrics, CreateWindowExA, SendMessageA, TranslateMessage, DispatchMessageA

Exports

NameOrdinalAddress
WndProc10x4011d6

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:08:53:35
Start date:07/10/2024
Path:C:\Users\user\Desktop\_ISDel.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\_ISDel.exe"
Imagebase:0x400000
File size:32'256 bytes
MD5 hash:130F6392E3C8C43773B1CA7737D0B8B0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

No disassembly