Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fqfeeCJXIY.exe

Overview

General Information

Sample name:fqfeeCJXIY.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:f5d2b0198dad167dd8973bba80fdcf02013fc2e69f36866445602542087b6b8e
Analysis ID:1541199
MD5:3ec3f39d4f633ca3443c482f1562b07e
SHA1:023f3586c6b1852db13efd0e28ba175aaa64611e
SHA256:f5d2b0198dad167dd8973bba80fdcf02013fc2e69f36866445602542087b6b8e

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Machine Learning detection for sample
Entry point lies outside standard sections
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • fqfeeCJXIY.exe (PID: 2544 cmdline: "C:\Users\user\Desktop\fqfeeCJXIY.exe" MD5: 3EC3F39D4F633CA3443C482F1562B07E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: fqfeeCJXIY.exeJoe Sandbox ML: detected
Source: fqfeeCJXIY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: fqfeeCJXIY.exe, 00000000.00000002.2175371662.0000000000401000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.NewXing.com
Source: fqfeeCJXIY.exe, 00000000.00000000.2129019985.000000000059A000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs fqfeeCJXIY.exe
Source: fqfeeCJXIY.exeBinary or memory string: OriginalFilename vs fqfeeCJXIY.exe
Source: fqfeeCJXIY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: fqfeeCJXIY.exeStatic PE information: Section: 0ext ZLIB complexity 0.9960295962591241
Source: fqfeeCJXIY.exeStatic PE information: Section: 5ata ZLIB complexity 1.00048828125
Source: fqfeeCJXIY.exe, 00000000.00000002.2175371662.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~.vbp@
Source: fqfeeCJXIY.exe, 00000000.00000002.2175371662.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~.vbp @m
Source: classification engineClassification label: sus22.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeMutant created: NULL
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeFile created: C:\Users\user\AppData\Local\Temp\~DF590B5E50594AA91C.TMPJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeFile read: C:\Users\user\Desktop\fqfeeCJXIY.exeJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: vb6chs.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: vb6chs.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeSection loaded: wintypes.dllJump to behavior
Source: initial sampleStatic PE information: section where entry point is pointing to: 3ext
Source: fqfeeCJXIY.exeStatic PE information: section name: 0ext
Source: fqfeeCJXIY.exeStatic PE information: section name: 1ata
Source: fqfeeCJXIY.exeStatic PE information: section name: 2src
Source: fqfeeCJXIY.exeStatic PE information: section name: 3ext
Source: fqfeeCJXIY.exeStatic PE information: section name: 4data
Source: fqfeeCJXIY.exeStatic PE information: section name: 5ata
Source: fqfeeCJXIY.exeStatic PE information: section name: 0ext entropy: 7.999257185550183
Source: fqfeeCJXIY.exeStatic PE information: section name: 3ext entropy: 7.904648337578353
Source: fqfeeCJXIY.exeStatic PE information: section name: 5ata entropy: 7.994227836892481
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		2
Software Packing		OS Credential Dumping2
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fqfeeCJXIY.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.NewXing.comfqfeeCJXIY.exe, 00000000.00000002.2175371662.0000000000401000.00000040.00000001.01000000.00000003.sdmpfalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1541199
    Start date and time:2024-10-24 15:09:39 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 43s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:fqfeeCJXIY.exe
    (renamed file extension from none to exe, renamed because original name is a hash value)
    Original Sample Name:f5d2b0198dad167dd8973bba80fdcf02013fc2e69f36866445602542087b6b8e
    Detection:SUS
    Classification:sus22.winEXE@1/1@0/0
    Cookbook Comments:
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
    • VT rate limit hit for: fqfeeCJXIY.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\~DF590B5E50594AA91C.TMP

    Download File
    Process:C:\Users\user\Desktop\fqfeeCJXIY.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):26750
    Entropy (8bit):4.187573134962164
    Encrypted:false
    SSDEEP:192:CnsY92Xa5zlO5IXJ5IKOqmjMzzE26n35iN7ZGuafHdSAWZE4zjJEviZhggxAaeSS:Csuua7OuJ58qmjizFGaZG1dbuq+OVTf
    MD5:335E95621F12008E2DF1B81AF007D63E
    SHA1:EE83DAFE755F1A8F20C07B0649464537155F32BC
    SHA-256:E4D515F65D11B058B9B809DA68DC0FBAEB599BE86E7215C3C2143278F15101D7
    SHA-512:E43B94C5AAAC9ECB317A9DF6B6624722E75B1F79ACE762134DF786FD302915A861AFFDB1CC0D0843ABDCD6A10E33D5FBD2B0AE189519B795CC2887C194443338
    Malicious:false
    Reputation:low
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
    Entropy (8bit):7.945207806505944
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:fqfeeCJXIY.exe
    File size:834'506 bytes
    MD5:3ec3f39d4f633ca3443c482f1562b07e
    SHA1:023f3586c6b1852db13efd0e28ba175aaa64611e
    SHA256:f5d2b0198dad167dd8973bba80fdcf02013fc2e69f36866445602542087b6b8e
    SHA512:ab5738b08a24b87d7065d232f006ae27b25ac0115e30217a52386ac46e9a923aa47246246daf714216fab0a055b9515f3f70bf3fd8048bb7bf14347c3c7539bc
    SSDEEP:24576:0R0IaSZ0T3x+gZHqvUrBKAykNqq5qT0wM2i:0R0IaSQ+gZKvUr3yc3qT0w9i
    TLSH:B9052271B215813DCA56CF3770228DFE96352C588B2E56BB284DB66E1C37E81C1DAC9C
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.GU..)...)...)...'...).t. ...)...$...).Rich..).........................PE..L....n.R.............................+....... ....@

    File Icon

    Icon Hash:07314dd65459278e

    Static PE Info

    General

    Entrypoint:0x5a2bd3
    Entrypoint Section:3ext
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
    DLL Characteristics:
    Time Stamp:0x52F26E84 [Wed Feb 5 17:01:56 2014 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:73ec795c6c369c6ce2c3b4c3f6477daa

    Entrypoint Preview

    Instruction
    call 00007FE3DCFD79D5h
    pushad
    call 00007FE3DCFD7A24h
    jle 00007FE3DCFD79D3h
    xchg eax, ecx
    sbb dword ptr [eax], ecx
    add ecx, dword ptr [ecx]
    salc
    inc ebp
    add ecx, dword ptr [edi]
    or al, 6Ah
    loop 00007FE3DCFD7A4Bh
    sbb eax, 964CD4BCh
    pop ss

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1b3b340x3c4data
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x19a0000x66e42src
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x1b30000x644data
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0ext0x10000x1903bc0x89000728492e7b2feffa48f7ef4b51990f2f3False0.9960295962591241OpenPGP Secret Key7.999257185550183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    1ata0x1920000x747c0x1000ed4218439b3a0574d8609e2ae9e82471False0.010498046875data3.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    2src0x19a0000x66e40x7000ef2f327abccf1e89184faa6308b22e34False0.38438197544642855data4.069780175622684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    3ext0x1a10000x11daf0xc0004320e41680c4b391827b06ce6cb7c062False0.9506022135416666data7.904648337578353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    4data0x1b30000xda40x10000e71b543dac19b9f4f92d69a4296c47eFalse0.34228515625data4.143833566529815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    5ata0x1b40000x80000x80008ba039cdfec4c3965d9272995526d24fFalse1.00048828125data7.994227836892481IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_ICON0x1a05bc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.597972972972973
    RT_ICON0x1a00540x568Device independent bitmap graphic, 16 x 32 x 8, image size 0, 256 important colors0.4624277456647399
    RT_ICON0x19fbec0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7083333333333334
    RT_ICON0x19f9040x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.5483870967741935
    RT_ICON0x19f05c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0, 256 important colors0.29061371841155237
    RT_ICON0x19dfb40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4692776735459662
    RT_ICON0x19d94c0x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.4353658536585366
    RT_ICON0x19caa40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0, 256 important colors0.2867803837953092
    RT_ICON0x19a4fc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.4382780082987552
    RT_GROUP_ICON0x19a4780x84data0.6818181818181818
    RT_VERSION0x19a2700x208dataChineseChina0.5307692307692308

    Imports

    DLLImport
    KERNEL32.dlllstrcatA, InitializeCriticalSection, GetProcAddress, LocalFree, RaiseException, LocalAlloc, GetModuleHandleA, LeaveCriticalSection, EnterCriticalSection, DuplicateHandle, GetShortPathNameA, ResumeThread, WriteProcessMemory, GetPrivateProfileSectionA, GetStringTypeA, LCMapStringW, LCMapStringA, RtlUnwind, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW
    USER32.dllDefWindowProcA, AdjustWindowRectEx

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    ChineseChina

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:09:10:31
    Start date:24/10/2024
    Path:C:\Users\user\Desktop\fqfeeCJXIY.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\fqfeeCJXIY.exe"
    Imagebase:0x400000
    File size:834'506 bytes
    MD5 hash:3EC3F39D4F633CA3443C482F1562B07E
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    No disassembly