Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Spud.exe

Overview

General Information

Sample name:Spud.exe
Analysis ID:1562487
MD5:4a86c8af56b2a9b448b93433ff7fcf41
SHA1:b0136ca3b4e04b3203f15b3947f96abbcd033237
SHA256:d52355666006d9cfae423c9f4eb8e8600c720baaf4b7aba37127e0f7854ab212

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64_ra
  • Spud.exe (PID: 6804 cmdline: "C:\Users\user\Desktop\Spud.exe" MD5: 4A86C8AF56B2A9B448B93433FF7FCF41)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Spud.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Spud.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: Spud.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Spud.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\Spud.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: spudmfc.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: textshaping.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\Spud.exeSection loaded: wintypes.dll
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1562487
Start date and time:2024-11-25 16:15:52 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:Spud.exe
Detection:CLEAN
Classification:clean1.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: Spud.exe

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):4.853777687970241
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Spud.exe
File size:110'592 bytes
MD5:4a86c8af56b2a9b448b93433ff7fcf41
SHA1:b0136ca3b4e04b3203f15b3947f96abbcd033237
SHA256:d52355666006d9cfae423c9f4eb8e8600c720baaf4b7aba37127e0f7854ab212
SHA512:7411acba64a12ac0f3ad57cab285f9b59396ba7e0c66bcaa67e9cf9ac19a003eddb12a9eba7667ec6ce49933b3defd59ef34fc4b60f1e6c94a7f495845426d11
SSDEEP:768:m7vPFvznZYiEBTuNP1W8I/Ecm0P0cnNK2AoaNsNPZ8CkCofYyr0VLvQXrXuXH0XU:wvPpnZ+O88IQ0P0KNKbChxofYyoF
TLSH:59B339237665C8A5D5D188718953CBBA2621BC633EA13E8333D03F1FEE32999DD12356
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........2...a...a...av..a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a2..a...aRich...a........................PE..L..

File Icon

Icon Hash:4a92d3cbaf2f2f1e

Static PE Info

General

Entrypoint:0x403cb1
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x4ECC1120 [Tue Nov 22 21:16:16 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:5084a35ed6af0954aadb199d4f4c7acc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040C300h
push 00406B58h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0040C030h]
xor edx, edx
mov dl, ah
mov dword ptr [00411224h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00411220h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0041121Ch], ecx
shr eax, 10h
mov dword ptr [00411218h], eax
xor esi, esi
push esi
call 00007F8118B3BAF6h
pop ecx
test eax, eax
jne 00007F8118B38D1Ah
push 0000001Ch
call 00007F8118B38DC5h
pop ecx
mov dword ptr [ebp-04h], esi
call 00007F8118B3B7C1h
call dword ptr [0040C02Ch]
mov dword ptr [00412764h], eax
call 00007F8118B3B67Fh
mov dword ptr [004111FCh], eax
call 00007F8118B3B428h
call 00007F8118B3B36Ah
call 00007F8118B3A358h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0040C028h]
call 00007F8118B3B2FBh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F8118B38D18h
movzx eax, word ptr [ebp-2Ch]
jmp 00007F8118B38D15h
push 0000000Ah
pop eax
push eax
push dword ptr [ebp-64h]
push esi
push esi
call dword ptr [0040C024h]

Rich Headers

Programming Language:
  • [ C ] VS98 (6.0) SP6 build 8804
  • [C++] VS98 (6.0) SP6 build 8804
  • [EXP] VC++ 6.0 SP5 build 8804

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xd5680x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000x9ff8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xc0000xe0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xa06a0xb000dbbc0c7262501a77c92eef9c2414c140False0.5460094105113636data6.247822969661715IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xc0000x1a340x20001b22fd57d1513a7fc424b5e7e116394aFalse0.2998046875OpenPGP Public Key3.7979050761850965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xe0000x47680x300023b3a8bca24998a3372003c54c82c293False0.08097330729166667data1.251090023749093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x130000x9ff80xa000177af6345e22ff23509984687d5fb4bdFalse0.1576171875data3.8306474620539355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_CURSOR0x193080x8acTarga image data - Map - RLE 64 x 65536 x 1 +32 "\010"EnglishUnited States0.31891891891891894
RT_CURSOR0x19bd00x2ecdataEnglishUnited States0.3155080213903743
RT_CURSOR0x19ed80x8acTarga image data - RLE 64 x 65536 x 1 +32 "\010"EnglishUnited States0.3063063063063063
RT_CURSOR0x1a7a00x8acTarga image data - Mono 64 x 65536 x 1 +32 "\010"EnglishUnited States0.31756756756756754
RT_CURSOR0x1b0680x8acdataEnglishUnited States0.3364864864864865
RT_CURSOR0x1b9300x8acTarga image data - Mono - RLE 64 x 65536 x 1 +32 "\010"EnglishUnited States0.3171171171171171
RT_CURSOR0x1c1f80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.474025974025974
RT_CURSOR0x1c3300x2ecTarga image data - Map 64 x 65536 x 1 +32 "\004"EnglishUnited States0.2660427807486631
RT_CURSOR0x1c6480x8acdataEnglishUnited States0.31576576576576576
RT_BITMAP0x18dd80xd8Device independent bitmap graphic, 15 x 14 x 4, image size 112EnglishUnited States0.2824074074074074
RT_BITMAP0x18eb00xd0Device independent bitmap graphic, 9 x 13 x 4, image size 104EnglishUnited States0.2980769230769231
RT_ICON0x13a600x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.29838709677419356
RT_ICON0x13d480x130Device independent bitmap graphic, 32 x 64 x 1, image size 256EnglishUnited States0.47368421052631576
RT_ICON0x13e780xb0Device independent bitmap graphic, 32 x 32 x 1, image size 128EnglishUnited States0.44886363636363635
RT_ICON0x13f280x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.4189189189189189
RT_ICON0x140500x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3312274368231047
RT_ICON0x148f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.46459537572254334
RT_ICON0x14ec00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.39919354838709675
RT_ICON0x151a80x130Device independent bitmap graphic, 32 x 64 x 1, image size 256EnglishUnited States0.47368421052631576
RT_ICON0x152d80xb0Device independent bitmap graphic, 32 x 32 x 1, image size 128EnglishUnited States0.44886363636363635
RT_ICON0x153880x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.4594594594594595
RT_ICON0x154b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3740974729241877
RT_ICON0x15d580x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.47398843930635837
RT_ICON0x163200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.48118279569892475
RT_ICON0x166080x130Device independent bitmap graphic, 32 x 64 x 1, image size 256EnglishUnited States0.47368421052631576
RT_ICON0x167380xb0Device independent bitmap graphic, 32 x 32 x 1, image size 128EnglishUnited States0.44886363636363635
RT_ICON0x167e80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5202702702702703
RT_ICON0x169100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.40794223826714804
RT_ICON0x171b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.49421965317919075
RT_ICON0x177800x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.3709677419354839
RT_ICON0x17a680x130Device independent bitmap graphic, 32 x 64 x 1, image size 256EnglishUnited States0.618421052631579
RT_ICON0x17b980xb0Device independent bitmap graphic, 32 x 32 x 1, image size 128EnglishUnited States0.44886363636363635
RT_ICON0x17c480x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5405405405405406
RT_ICON0x17d700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3655234657039711
RT_ICON0x186180x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.5007225433526011
RT_DIALOG0x18be00x7adataEnglishUnited States0.7786885245901639
RT_DIALOG0x18c600x172dBase III DBT, next free block index 4294901761EnglishUnited States0.2945945945945946
RT_STRING0x1cf100xe2dataEnglishUnited States0.6415929203539823
RT_GROUP_CURSOR0x1c6200x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States0.9411764705882353
RT_GROUP_CURSOR0x19bb80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x19ec00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x1a7880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x1b0500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x1b9180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x1c1e00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x1cef80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_ICON0x14e600x5adataEnglishUnited States0.7777777777777778
RT_GROUP_ICON0x162c00x5adataEnglishUnited States0.7888888888888889
RT_GROUP_ICON0x177200x5adataEnglishUnited States0.7888888888888889
RT_GROUP_ICON0x18b800x5adataEnglishUnited States0.8
RT_VERSION0x18f800x384dataEnglishUnited States0.4411111111111111

Imports

DLLImport
KERNEL32.dllGetProcAddress, GetLastError, LoadLibraryA, MultiByteToWideChar, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, SetStdHandle, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, RtlUnwind, RaiseException, HeapFree, TerminateProcess, GetCurrentProcess, HeapReAlloc, HeapAlloc, HeapSize, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, WriteFile, SetFilePointer, FlushFileBuffers, CloseHandle, SetUnhandledExceptionFilter, VirtualAlloc, IsBadWritePtr, GetCPInfo, GetACP, GetOEMCP, IsBadReadPtr, IsBadCodePtr, ReadFile
USER32.dllMessageBoxA
OLEAUT32.dllRegisterTypeLib, LoadTypeLib

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States