Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PUESTO.zip

Overview

General Information

Sample name:PUESTO.zip
Analysis ID:1542208
MD5:0cf1dcd8733817ea870b6722abfac4f7
SHA1:3de94ab5e4343220cbbc8251861c82be1a125f9e
SHA256:44bb56713e672c1f09f7cf7a37ea92a328b427f6d30b6b823e48198ee0c95965

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 6804 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Binary string: bin/DIMSA.Modulos.Operaciones.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.InterfacesBCT.pdb source: PUESTO.zip, bin.zip
Source: Binary string: A bin/DIMSA.Modulos.Portafolio.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Clientes.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Bancos.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Componentes.FormasBase_CS.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Normativa.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Custodia.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Principal.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.CRM.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Datos.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Contabilidad.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Componentes.Controles.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Auditoria.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Portafolio.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Servicios.Utiles.pdb source: PUESTO.zip, bin.zip
Source: Binary string: 'bin/DIMSA.Componentes.FormasBase_CS.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Servicios.Datos.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Negocios.General.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Sistemas.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Valoracion.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Seguridad.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.General.pdb source: PUESTO.zip, bin.zip
Source: Binary string: &bin/DIMSA.Componentes.Controles_CS.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Negocios.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Valoracion.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Componentes.FormasBase.pdb source: PUESTO.zip, bin.zip
Source: Binary string: $bin/DIMSA.Componentes.FormasBase.pdb source: PUESTO.zip, bin.zip
Source: Binary string: !bin/DIMSA.Modulos.Operaciones.pdb source: PUESTO.zip, bin.zip
Source: Binary string: ,"bin/DIMSA.Modulos.Contabilidad.pdb source: PUESTO.zip, bin.zip
Source: Binary string: #bin/DIMSA.Componentes.Controles.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Componentes.Controles_CS.pdb source: PUESTO.zip, bin.zip
Source: classification engineClassification label: clean0.winZIP@1/0@0/0
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: PUESTO.zipStatic file information: File size 41093246 > 1048576
Source: Binary string: bin/DIMSA.Modulos.Operaciones.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.InterfacesBCT.pdb source: PUESTO.zip, bin.zip
Source: Binary string: A bin/DIMSA.Modulos.Portafolio.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Clientes.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Bancos.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Componentes.FormasBase_CS.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Normativa.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Custodia.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Principal.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.CRM.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Datos.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Contabilidad.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Componentes.Controles.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Auditoria.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Portafolio.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Servicios.Utiles.pdb source: PUESTO.zip, bin.zip
Source: Binary string: 'bin/DIMSA.Componentes.FormasBase_CS.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Servicios.Datos.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Negocios.General.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Sistemas.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Valoracion.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Seguridad.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.General.pdb source: PUESTO.zip, bin.zip
Source: Binary string: &bin/DIMSA.Componentes.Controles_CS.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Negocios.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Modulos.Valoracion.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Componentes.FormasBase.pdb source: PUESTO.zip, bin.zip
Source: Binary string: $bin/DIMSA.Componentes.FormasBase.pdb source: PUESTO.zip, bin.zip
Source: Binary string: !bin/DIMSA.Modulos.Operaciones.pdb source: PUESTO.zip, bin.zip
Source: Binary string: ,"bin/DIMSA.Modulos.Contabilidad.pdb source: PUESTO.zip, bin.zip
Source: Binary string: #bin/DIMSA.Componentes.Controles.pdb source: PUESTO.zip, bin.zip
Source: Binary string: bin/DIMSA.Componentes.Controles_CS.pdb source: PUESTO.zip, bin.zip
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Rundll32		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1542208
Start date and time:2024-10-25 16:39:58 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:PUESTO.zip
Detection:CLEAN
Classification:clean0.winZIP@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .zip

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: PUESTO.zip

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:Zip archive data, at least v2.0 to extract, compression method=store
Entropy (8bit):7.98888878010616
TrID:
  • ZIP compressed archive (8000/1) 100.00%
File name:PUESTO.zip
File size:41'093'246 bytes
MD5:0cf1dcd8733817ea870b6722abfac4f7
SHA1:3de94ab5e4343220cbbc8251861c82be1a125f9e
SHA256:44bb56713e672c1f09f7cf7a37ea92a328b427f6d30b6b823e48198ee0c95965
SHA512:c5db5b176784983e88000fc3d2da675ae892b2c139a49a2900d3dc7539f959ba4a46631d985182abf6ee6260a67594dc313dcda307e03fade887dd0ab249bf0a
SSDEEP:786432:pBqQrEvCtVpW66n7h9PwCdTtAi8ElFdNhrYsVJF9HESZ2vVGElFTub7QKJGfZDt:/hrOC1WRt9PwCdBAijl9JYkJHtQv/Zff
TLSH:539733026B05033B3BA7F33742B2D21650621C88EA45D4F1B5689B2A95CBF97D6BD73C
File Content Preview:PK.........sYY................PUESTO/bin.zipPK........HFVY........."......bin/AxInterop.AcroPDFLib.dll.Y{p.....$..1...y.,..yX.....`cc.b...y..g.l_.t..lc..@..$....M;i...dJR(.Jg...4!.6.!0IC..N..ah'.$...I.In.N.k..}..o..........U.&..9.|.%.12S5];m..W.l...>.9&4.

File Icon

Icon Hash:1c1c1e4e4ececedc

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:10:40:32
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:0x7ff745fe0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly