Edit tour
Windows
Analysis Report
ada_sec2vep.exe
Overview
General Information
| Sample name: | ada_sec2vep.exe |
| Analysis ID: | 1528215 |
| MD5: | b895e8e9a05f32670b728fe042d4d70b |
| SHA1: | 520969de78995e685d9044048b1efd3621f6d10c |
| SHA256: | 7895ca50cad8e6497a4ec9f46a38a914ef631ae723779c4f5f0e7e3ac59a44eb |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
AI detected suspicious sample
Machine Learning detection for sample
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Classification
- System is w10x64_ra
ada_sec2vep.exe (PID: 6876 cmdline: "C:\Users\ user\Deskt op\ada_sec 2vep.exe" MD5: B895E8E9A05F32670B728FE042D4D70B)
- ada_sec2vep.exe (PID: 6696 cmdline:
"C:\Users\ user\Deskt op\ada_sec 2vep.exe" MD5: B895E8E9A05F32670B728FE042D4D70B)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Binary or memory string: | memstr_eaa96626-5 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 1 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1528215 |
| Start date and time: | 2024-10-07 16:57:50 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 21s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | ada_sec2vep.exe |
| Detection: | MAL |
| Classification: | mal48.winEXE@2/0@0/0 |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenFile calls found.
- VT rate limit hit for: ada_sec2vep.exe
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.634159746800974 |
| TrID: |
|
| File name: | ada_sec2vep.exe |
| File size: | 560'128 bytes |
| MD5: | b895e8e9a05f32670b728fe042d4d70b |
| SHA1: | 520969de78995e685d9044048b1efd3621f6d10c |
| SHA256: | 7895ca50cad8e6497a4ec9f46a38a914ef631ae723779c4f5f0e7e3ac59a44eb |
| SHA512: | 922a6f86095ab13d44128af5fdc0ddd3e806d0ef23b4a6a87a5ee717faa5453009655d12af01cac446e28ac43da73ffeaddb62e2d65005e85c8901c1c4acc6a8 |
| SSDEEP: | 12288:igMuVdfkkFXbHnDdj7e8Tcs8a6cDw1vLE9m+OJ2/QGimtP2DmTT+arFFgI8:tMyB5cV1vLE9SSQa2Q7gI8 |
| TLSH: | F6C49F06BEC050B1E2E7367515B697725E3D7A2447219AC7E3D44C7A89202E09F3A3BE |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...H..g.........."...............................@.......................... ............@........................................ |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x469ddd |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6703F648 [Mon Oct 7 14:55:04 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f889a9d6aca32ba301f36599c6ede1cd |
| Instruction |
|---|
| call 00007FD27C813C53h |
| jmp 00007FD27C8137FFh |
| push ebp |
| mov ebp, esp |
| push ecx |
| cmp dword ptr [00488160h], 01h |
| jl 00007FD27C8139E8h |
| cmp dword ptr [ebp+08h], C00002B4h |
| je 00007FD27C81398Bh |
| cmp dword ptr [ebp+08h], C00002B5h |
| jne 00007FD27C8139D6h |
| stmxcsr dword ptr [ebp-04h] |
| mov eax, dword ptr [ebp-04h] |
| xor eax, 3Fh |
| test al, 81h |
| je 00007FD27C8139C1h |
| test eax, 00000204h |
| jne 00007FD27C813989h |
| mov eax, C000008Eh |
| leave |
| ret |
| test eax, 00000102h |
| je 00007FD27C8139ACh |
| test eax, 00000408h |
| jne 00007FD27C813989h |
| mov eax, C0000091h |
| leave |
| ret |
| test eax, 00000810h |
| jne 00007FD27C813989h |
| mov eax, C0000093h |
| leave |
| ret |
| test eax, 00001020h |
| jne 00007FD27C813990h |
| mov eax, C000008Fh |
| leave |
| ret |
| mov eax, C0000090h |
| leave |
| ret |
| mov eax, dword ptr [ebp+08h] |
| leave |
| ret |
| push ebp |
| mov ebp, esp |
| push dword ptr [ebp+08h] |
| call 00007FD27C81398Fh |
| neg eax |
| pop ecx |
| sbb eax, eax |
| neg eax |
| dec eax |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| cmp dword ptr [00488F64h], FFFFFFFFh |
| push dword ptr [ebp+08h] |
| jne 00007FD27C813989h |
| call 00007FD27C80C48Bh |
| jmp 00007FD27C81398Dh |
| push 00488F64h |
| call 00007FD27C80C40Eh |
| pop ecx |
| neg eax |
| pop ecx |
| sbb eax, eax |
| not eax |
| and eax, dword ptr [ebp+08h] |
| pop ebp |
| ret |
| push 00000008h |
| push 00000030h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7ddfc | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8c000 | 0x498 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8d000 | 0x4844 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x70b78 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x7e1a8 | 0x2f8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6a110 | 0x6a200 | 3a3099fe44abf567e2e4269944489f26 | False | 0.563526023262662 | data | 6.584010213561401 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x6c000 | 0x1384c | 0x13a00 | ae58beab0c0a69f7ca342d554c4d44a9 | False | 0.3890824044585987 | data | 5.412988032048491 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x80000 | 0x90b8 | 0x3e00 | e4db7151ea28f14d21c1c7a27328ce6e | False | 0.21156754032258066 | DOS executable (block device driver) | 3.691427254147485 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .code | 0x8a000 | 0x1d3d | 0x1e00 | 197c3ff3cae5514d6393c4ea4d3f6e38 | False | 0.48671875 | data | 5.814792803440674 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x8c000 | 0x498 | 0x600 | 5ec5e5a98cb31e8020064f0f9680fb27 | False | 0.3736979166666667 | data | 4.586160103346616 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x8d000 | 0x4844 | 0x4a00 | 46d7a55318fdbe3d2c2d2783ddaea232 | False | 0.7377533783783784 | data | 6.670070195874956 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x8c060 | 0x433 | XML 1.0 document, ASCII text | English | United States | 0.4827906976744186 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CopyFileW, CreateDirectoryW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, DeleteFileW, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExpandEnvironmentStringsA, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindFirstFileW, FindNextFileW, FlushFileBuffers, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDriveTypeW, GetEnvironmentStringsW, GetFileAttributesExW, GetFileAttributesW, GetFileInformationByHandle, GetFileSize, GetFileSizeEx, GetFileType, GetFullPathNameW, GetLastError, GetLocalTime, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryA, GetSystemTimeAsFileTime, GetTickCount, GetTimeZoneInformation, GetUserDefaultLCID, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, MultiByteToWideChar, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, RemoveDirectoryW, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFileAttributesW, SetFilePointer, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, SleepEx, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnregisterWait, VerSetConditionMask, VerifyVersionInfoA, WideCharToMultiByte, WriteConsoleW, WriteFile |
| SHELL32.dll | SHGetSpecialFolderPathW |
| USER32.dll | CharLowerW, GetForegroundWindow |
| WS2_32.dll | WSACleanup, WSAGetLastError, WSAIoctl, WSASetLastError, WSAStartup, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostname, getpeername, getsockname, getsockopt, htonl, htons, ioctlsocket, listen, ntohl, ntohs, recv, select, send, setsockopt, socket |
| SHLWAPI.dll | PathMatchSpecW |
| ODBC32.dll | |
| ADVAPI32.dll | CryptAcquireContextA, CryptCreateHash, CryptDestroyHash, CryptGenRandom, CryptGetHashParam, CryptHashData, CryptReleaseContext |
| CRYPT32.dll | CertAddCertificateContextToStore, CertCloseStore, CertCreateCertificateChainEngine, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateChain, CertFreeCertificateChainEngine, CertFreeCertificateContext, CertGetCertificateChain, CertGetNameStringA, CertOpenStore, CryptQueryObject, CryptStringToBinaryA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:58:21 |
| Start date: | 07/10/2024 |
| Path: | C:\Users\user\Desktop\ada_sec2vep.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa30000 |
| File size: | 560'128 bytes |
| MD5 hash: | B895E8E9A05F32670B728FE042D4D70B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 9 |
| Start time: | 10:58:49 |
| Start date: | 07/10/2024 |
| Path: | C:\Users\user\Desktop\ada_sec2vep.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa30000 |
| File size: | 560'128 bytes |
| MD5 hash: | B895E8E9A05F32670B728FE042D4D70B |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
⊘No disassembly