Loading ...

Analysis Report uZHOQbicgS

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:114572
Start date:05.03.2019
Start time:13:07:03
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:uZHOQbicgS (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 63.7% (good quality ratio 55.6%)
  • Quality average: 73.1%
  • Quality standard deviation: 34.6%
HCA Information:
  • Successful, ratio: 73%
  • Number of executed functions: 12
  • Number of non-executed functions: 155
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold560 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample is a service DLL but no service has been registered
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsService Execution1Modify Existing Service1New Service3Software Packing1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionNew Service3Accessibility FeaturesObfuscated Files or Information2Network SniffingSecurity Software Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery23Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: uZHOQbicgS.exevirustotal: Detection: 61%Perma Link
Source: uZHOQbicgS.exemetadefender: Detection: 45%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040DD60 VirtualAlloc,SetErrorMode,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,1_2_0040DD60
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040DBA0 WriteFile,SetErrorMode,lstrlenA,CryptStringToBinaryA,CryptDecodeObjectEx,CryptAcquireContextW,CryptImportPublicKeyInfoEx,CryptEncrypt,GetLastError,GlobalAlloc,CryptEncrypt,1_2_0040DBA0
Public key (encryption) foundShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYCKc5+qn6EUaDuEGzfqBGzpVi Kd4apHeVziduKN7BWB1pgBs6aLnKLG2N+Gt5QDZ8QV5a53bDNyvv1H5s00RCl/cV fm/RSTUHcBqnOQv3p61t8Zai0+Q7hjvAefAoj1NWx0REN50usDC/pz+/Uj38QoyS qtXKj8DB9NT061uWmQIDAQAB -----END PUBL1_2_0040E800
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYCKc5+qn6EUaDuEGzfqBGzpVi Kd4apHeVziduKN7BWB1pgBs6aLnKLG2N+Gt5QDZ8QV5a53bDNyvv1H5s00RCl/cV fm/RSTUHcBqnOQv3p61t8Zai0+Q7hjvAefAoj1NWx0REN50usDC/pz+/Uj38QoyS qtXKj8DB9NT061uWmQIDAQAB -----END PUBL1_2_0040E800
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYCKc5+qn6EUaDuEGzfqBGzpVi Kd4apHeVziduKN7BWB1pgBs6aLnKLG2N+Gt5QDZ8QV5a53bDNyvv1H5s00RCl/cV fm/RSTUHcBqnOQv3p61t8Zai0+Q7hjvAefAoj1NWx0REN50usDC/pz+/Uj38QoyS qtXKj8DB9NT061uWmQIDAQAB -----END PUBL1_2_0040E43D
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYCKc5+qn6EUaDuEGzfqBGzpVi Kd4apHeVziduKN7BWB1pgBs6aLnKLG2N+Gt5QDZ8QV5a53bDNyvv1H5s00RCl/cV fm/RSTUHcBqnOQv3p61t8Zai0+Q7hjvAefAoj1NWx0REN50usDC/pz+/Uj38QoyS qtXKj8DB9NT061uWmQIDAQAB -----END PUBL1_2_0040E940
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYCKc5+qn6EUaDuEGzfqBGzpVi Kd4apHeVziduKN7BWB1pgBs6aLnKLG2N+Gt5QDZ8QV5a53bDNyvv1H5s00RCl/cV fm/RSTUHcBqnOQv3p61t8Zai0+Q7hjvAefAoj1NWx0REN50usDC/pz+/Uj38QoyS qtXKj8DB9NT061uWmQIDAQAB -----END PUBL1_2_0040E340
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYCKc5+qn6EUaDuEGzfqBGzpVi Kd4apHeVziduKN7BWB1pgBs6aLnKLG2N+Gt5QDZ8QV5a53bDNyvv1H5s00RCl/cV fm/RSTUHcBqnOQv3p61t8Zai0+Q7hjvAefAoj1NWx0REN50usDC/pz+/Uj38QoyS qtXKj8DB9NT061uWmQIDAQAB -----END PUBL1_2_0040E3A8
Source: uZHOQbicgS.exeBinary or memory string: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYCKc5+qn6EUaDuEGzfqBGzpVi Kd4apHeVziduKN7BWB1pgBs6aLnKLG2N+Gt5QDZ8QV5a53bDNyvv1H5s00RCl/cV fm/RSTUHcBqnOQv3p61t8Zai0+Q7hjvAefAoj1NWx0REN50usDC/pz+/Uj38QoyS qtXKj8DB9NT061uWmQIDAQAB -----END PUBL

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E43D LCMapStringW,CompareStringA,InitializeSecurityDescriptor,SetAbortProc,PeekMessageW,QueryPerformanceCounter,CreateDCW,AbortDoc,DefWindowProcA,GetConsoleCP,GetCurrentProcessId,InitializeCriticalSectionAndSpinCount,FileTimeToLocalFileTime,DrawTextW,DialogBoxIndirectParamA,GetVersion,GlobalAlloc,PrintDlgA,GetSubMenu,GetWindowPlacement,ResumeThread,EndPage,DeleteFileA,GetProcAddress,lstrcpynW,UnhandledExceptionFilter,GetDialogBaseUnits,OpenSCManagerA,IsDialogMessageA,lstrlenW,ChooseFontA,FindFirstFileA,TlsSetValue,GetOpenFileNameA,CreateFileMappingW,EmptyClipboard,CreateFontIndirectA,ClosePrinter,GetTextMetricsW,wsprintfW,InvalidateRgn,CharNextA,GetFileTitleW,SendDlgItemMessageA,SizeofResource,CreateWindowExA,GetMenuItemCount,MoveWindow,DispatchMessageA,ExtTextOutA,RegDeleteValueA,GetWindowTextA,LocalReAlloc,GetParent,GetDlgItem,CompareStringW,AppendMenuA,GetLastError,GetLastError,EraseTape,DefineDosDeviceW,GetACP,FindAtomA,Sleep,CreateMutexA,WaitForSingleObject,CreateThread,CreateThread,SetErrorMode,C1_2_0040E43D
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_00404CC3 FindFirstFileExA,1_2_00404CC3
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040F2AD FindFirstFileExA,1_2_0040F2AD
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040F3D7 FindFirstFileExW,1_2_0040F3D7
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040B790 SetErrorMode,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,Sleep,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,FindNextFileW,lstrcmpW,lstrcmpW,Sleep,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,CreateThread,FindNextFileW,FindClose,FindClose,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,FindClose,1_2_0040B790
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040C3B0 SetErrorMode,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,wsprintfW,Sleep,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,FindNextFileW,lstrcmpW,lstrcmpW,wsprintfW,Sleep,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,CreateThread,FindNextFileW,FindClose,FindClose,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,FindClose,1_2_0040C3B0

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: uZHOQbicgS.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: uZHOQbicgS.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: uZHOQbicgS.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: uZHOQbicgS.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: uZHOQbicgS.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: uZHOQbicgS.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: uZHOQbicgS.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: uZHOQbicgS.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: uZHOQbicgS.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: uZHOQbicgS.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: uZHOQbicgS.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: uZHOQbicgS.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: uZHOQbicgS.exeString found in binary or memory: https://sectigo.com/CPS0C
Source: uZHOQbicgS.exeString found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040D0C01_2_0040D0C0
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040EB601_2_0040EB60
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040A3C51_2_0040A3C5
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0042C8701_2_0042C870
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_004300AC1_2_004300AC
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_004301C01_2_004301C0
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_004301C71_2_004301C7
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0042B1E21_2_0042B1E2
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0042C25C1_2_0042C25C
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0042CB751_2_0042CB75
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0042BC511_2_0042BC51
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_00432CCB1_2_00432CCB
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0042648E1_2_0042648E
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0042C5F51_2_0042C5F5
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0042B70D1_2_0042B70D
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0042C8701_1_0042C870
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004300AC1_1_004300AC
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004301C71_1_004301C7
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0042B1E21_1_0042B1E2
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0042C25C1_1_0042C25C
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0042CB751_1_0042CB75
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0042BC511_1_0042BC51
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00432CCB1_1_00432CCB
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0042D4E21_1_0042D4E2
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0042648E1_1_0042648E
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004295D61_1_004295D6
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0042C5F51_1_0042C5F5
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0042B70D1_1_0042B70D
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: String function: 004244B4 appears 41 times
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: String function: 0040D370 appears 96 times
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: String function: 00424128 appears 54 times
Sample file is different than original file name gathered from version infoShow sources
Source: uZHOQbicgS.exeBinary or memory string: OriginalFilename vs uZHOQbicgS.exe
Source: uZHOQbicgS.exe, 00000001.00000002.6104271291.0000000002060000.00000004.sdmpBinary or memory string: OriginalFilenametsecnet.exeL vs uZHOQbicgS.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal56.evad.winEXE@1/0@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E3A8 SetWindowsHookExA,RegOpenKeyExA,SetWindowPos,AdjustTokenPrivileges,CreateWindowExW,EnumFontsW,LoadAcceleratorsW,PostMessageW,LPtoDP,GetObjectW,RegSetValueExW,lstrcmpiW,LoadCursorW,TranslateAcceleratorW,CharNextW,CreateDCW,CreateFileMappingW,DeleteFileW,SystemParametersInfoW,lstrcpyW,SetCursor,LoadIconW,SetScrollPos,GetSecurityDescriptorSacl,GetLastError,GetLastError,EraseTape,DefineDosDeviceW,GetACP,FindAtomA,Sleep,CreateMutexA,WaitForSingleObject,CreateThread,CreateThread,SetErrorMode,CreateThread,Sleep,Sleep,wsprintfW,GetDriveTypeW,GlobalAlloc,Sleep,CreateThread,Sleep,Sleep,SHGetSpecialFolderPathW,Sleep,Sleep,WaitForSingleObject,Sleep,1_2_0040E3A8
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040F0A0 Sleep,GetLastError,CreateToolhelp32Snapshot,lstrcpyW,lstrlenW,CharUpperBuffW,Process32FirstW,lstrcmpW,Process32NextW,lstrcpyW,lstrlenW,CharUpperBuffW,lstrcmpW,Process32NextW,CloseHandle,1_2_0040F0A0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040F460 Sleep,GetLastError,GetModuleHandleW,FindResourceW,LoadResource,LockResource,SizeofResource,GlobalAlloc,GetCurrentDirectoryA,wsprintfA,CreateFileA,WriteFile,CloseHandle,GlobalFree,ShellExecuteA,Sleep,DeleteFileA,1_2_0040F460
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040DFE0 TerminateProcess,GetDC,GetTextCharset,TerminateProcess,StartServiceCtrlDispatcherW,TerminateProcess,TerminateProcess,1_2_0040DFE0
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040DFE0 TerminateProcess,GetDC,GetTextCharset,TerminateProcess,StartServiceCtrlDispatcherW,TerminateProcess,TerminateProcess,1_2_0040DFE0
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCommand line argument: TaskNetProcess1_2_0040DFE0
PE file has an executable .text section and no other executable sectionShow sources
Source: uZHOQbicgS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: uZHOQbicgS.exevirustotal: Detection: 61%
Source: uZHOQbicgS.exemetadefender: Detection: 45%

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeUnpacked PE file: 1.2.uZHOQbicgS.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00419100 LoadLibraryA,GetProcAddress,1_1_00419100
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_00401946 push ecx; ret 1_2_00401959
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0042416D push ecx; ret 1_2_00424180
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_00424259 push ecx; ret 1_2_0042426C
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0043425C push esi; ret 1_2_0043425E
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0043436F push esi; ret 1_2_00434371
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_00434392 push esi; ret 1_2_00434394
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00403066 push esi; iretd 1_1_0040304E
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00408872 push esi; ret 1_1_00408873
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0040481C push esi; ret 1_1_0040481D
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004028CD push esi; ret 1_1_004028CE
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0040609F push esi; iretd 1_1_004060A0
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00402961 push esi; ret 1_1_00402964
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0042416D push ecx; ret 1_1_00424180
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0040217C push esi; retf 1_1_0040218A
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004011CB push esi; ret 1_1_004011CC
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004019B4 push esi; retf 1_1_004019B5
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004012DE push esi; retf 1_1_004012DF
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00405AF5 push esi; retf 1_1_00405AF6
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00406310 push esi; iretd 1_1_00406311
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00409331 push esi; ret 1_1_00409336
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004053CD push esi; ret 1_1_004053F8
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004033D1 push 15000092h; retn 0021h1_1_0040342D
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00403BDB push esi; retf 1_1_00403D82
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004063E0 push esi; ret 1_1_004063E8
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00407BE9 push es; ret 1_1_00407C8F
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00403B83 push esi; retf 1_1_00403D82
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00403B83 push cs; retf 1_1_00403DA6
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0040145C push ss; retf 1_1_0040145D
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00406C6B push esi; iretd 1_1_00406C6C
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00402CC4 push esi; iretd 1_1_00402CC5
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0040348D push esi; iretd 1_1_004034D6

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040DFE0 TerminateProcess,GetDC,GetTextCharset,TerminateProcess,StartServiceCtrlDispatcherW,TerminateProcess,TerminateProcess,1_2_0040DFE0

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeAPI coverage: 1.6 %
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)Show sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E080 GetKeyboardLayout followed by cmp: cmp eax, 00000437h and CTI: jnbe 0040E0AEh1_2_0040E080
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E080 GetKeyboardLayout followed by cmp: cmp eax, 12h and CTI: jnbe 0040E0DCh1_2_0040E080
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E080 GetKeyboardLayout followed by cmp: cmp eax, 0000082ch and CTI: jnbe 0040E0D0h1_2_0040E080
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E080 GetKeyboardLayout followed by cmp: cmp eax, 0000043fh and CTI: jc 0040E0DCh1_2_0040E080
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E080 GetKeyboardLayout followed by cmp: cmp eax, 00000440h and CTI: jbe 0040E0D7h1_2_0040E080
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E080 GetKeyboardLayout followed by cmp: cmp eax, 00000442h and CTI: je 0040E0D7h1_2_0040E080
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E080 GetKeyboardLayout followed by cmp: cmp eax, 00000843h and CTI: jne 0040E0DCh1_2_0040E080
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E43D LCMapStringW,CompareStringA,InitializeSecurityDescriptor,SetAbortProc,PeekMessageW,QueryPerformanceCounter,CreateDCW,AbortDoc,DefWindowProcA,GetConsoleCP,GetCurrentProcessId,InitializeCriticalSectionAndSpinCount,FileTimeToLocalFileTime,DrawTextW,DialogBoxIndirectParamA,GetVersion,GlobalAlloc,PrintDlgA,GetSubMenu,GetWindowPlacement,ResumeThread,EndPage,DeleteFileA,GetProcAddress,lstrcpynW,UnhandledExceptionFilter,GetDialogBaseUnits,OpenSCManagerA,IsDialogMessageA,lstrlenW,ChooseFontA,FindFirstFileA,TlsSetValue,GetOpenFileNameA,CreateFileMappingW,EmptyClipboard,CreateFontIndirectA,ClosePrinter,GetTextMetricsW,wsprintfW,InvalidateRgn,CharNextA,GetFileTitleW,SendDlgItemMessageA,SizeofResource,CreateWindowExA,GetMenuItemCount,MoveWindow,DispatchMessageA,ExtTextOutA,RegDeleteValueA,GetWindowTextA,LocalReAlloc,GetParent,GetDlgItem,CompareStringW,AppendMenuA,GetLastError,GetLastError,EraseTape,DefineDosDeviceW,GetACP,FindAtomA,Sleep,CreateMutexA,WaitForSingleObject,CreateThread,CreateThread,SetErrorMode,C1_2_0040E43D
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_00404CC3 FindFirstFileExA,1_2_00404CC3
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040F2AD FindFirstFileExA,1_2_0040F2AD
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040F3D7 FindFirstFileExW,1_2_0040F3D7
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040B790 SetErrorMode,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,Sleep,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,FindNextFileW,lstrcmpW,lstrcmpW,Sleep,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,CreateThread,FindNextFileW,FindClose,FindClose,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,FindClose,1_2_0040B790
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040C3B0 SetErrorMode,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,wsprintfW,Sleep,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,FindNextFileW,lstrcmpW,lstrcmpW,wsprintfW,Sleep,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,CreateThread,WaitForSingleObject,CreateThread,FindNextFileW,FindClose,FindClose,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,FindClose,1_2_0040C3B0
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040D2F0 wsprintfW,wsprintfW,GetDriveTypeW,GetSystemInfo,1_2_0040D2F0

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040490E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0040490E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_00419100 LoadLibraryA,GetProcAddress,1_1_00419100
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_004035BF mov eax, dword ptr fs:[00000030h]1_2_004035BF
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_00406A7A GetProcessHeap,1_2_00406A7A
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040184F SetUnhandledExceptionFilter,1_2_0040184F
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040490E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0040490E
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_00401241 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00401241
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_00401701 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00401701
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_004247FA _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004247FA
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_0041BD14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_1_0041BD14
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004247FA _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_004247FA
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_1_004017A4 SetUnhandledExceptionFilter,1_1_004017A4

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: __crtGetLocaleInfoA_stat,1_2_0043500A
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: GetLocaleInfoA,1_2_0042A1A1
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: _LcidFromHexString,GetLocaleInfoA,1_2_0042A290
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,1_2_0042A328
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: GetLocaleInfoA,1_2_0042E3D7
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: _LcidFromHexString,GetLocaleInfoA,1_2_0042A5A5
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: EnumSystemLocalesA,1_2_0042A666
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,1_2_00434ECB
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,1_2_0042A698
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: _TranslateName,_TranslateName,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,_strcpy_s,__itow_s,1_2_0042A755
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,GetLocaleInfoW,1_2_0042E76C
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,1_2_0042A70D
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: __crtGetLocaleInfoA_stat,1_1_0043500A
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: GetLocaleInfoA,1_1_0042A1A1
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,1_1_0042A290
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,1_1_0042A328
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: GetLocaleInfoA,1_1_0042E3D7
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,1_1_0042A39F
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,1_1_0042A5A5
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: GetLocaleInfoA,1_1_0042F611
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,1_1_00434ECB
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,1_1_0042A698
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: __getptd,_TranslateName,_TranslateName,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,GetLocaleInfoA,GetLocaleInfoA,__itow_s,1_1_0042A755
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_1_0042E76C
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,1_1_0042A70D
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040195B cpuid 1_2_0040195B
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_004015E9 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_004015E9
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0042EABD __lock,__get_daylight,__get_daylight,__get_daylight,_malloc,_strcpy_s,GetTimeZoneInformation,1_2_0042EABD
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\uZHOQbicgS.exeCode function: 1_2_0040E43D LCMapStringW,CompareStringA,InitializeSecurityDescriptor,SetAbortProc,PeekMessageW,QueryPerformanceCounter,CreateDCW,AbortDoc,DefWindowProcA,GetConsoleCP,GetCurrentProcessId,InitializeCriticalSectionAndSpinCount,FileTimeToLocalFileTime,DrawTextW,DialogBoxIndirectParamA,GetVersion,GlobalAlloc,PrintDlgA,GetSubMenu,GetWindowPlacement,ResumeThread,EndPage,DeleteFileA,GetProcAddress,lstrcpynW,UnhandledExceptionFilter,GetDialogBaseUnits,OpenSCManagerA,IsDialogMessageA,lstrlenW,ChooseFontA,FindFirstFileA,TlsSetValue,GetOpenFileNameA,CreateFileMappingW,EmptyClipboard,CreateFontIndirectA,ClosePrinter,GetTextMetricsW,wsprintfW,InvalidateRgn,CharNextA,GetFileTitleW,SendDlgItemMessageA,SizeofResource,CreateWindowExA,GetMenuItemCount,MoveWindow,DispatchMessageA,ExtTextOutA,RegDeleteValueA,GetWindowTextA,LocalReAlloc,GetParent,GetDlgItem,CompareStringW,AppendMenuA,GetLastError,GetLastError,EraseTape,DefineDosDeviceW,GetACP,FindAtomA,Sleep,CreateMutexA,WaitForSingleObject,CreateThread,CreateThread,SetErrorMode,C1_2_0040E43D

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: uZHOQbicgS.exeBinary or memory string: SBAMTray.exe
Source: uZHOQbicgS.exeBinary or memory string: SBAMSvc.exe

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 114572 Sample: uZHOQbicgS Startdate: 05/03/2019 Architecture: WINDOWS Score: 56 8 Multi AV Scanner detection for submitted file 2->8 5 uZHOQbicgS.exe 2->5         started        process3 signatures4 10 Detected unpacking (overwrites its own PE header) 5->10

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
uZHOQbicgS.exe62%virustotalBrowse
uZHOQbicgS.exe46%metadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.