Loading ...

Analysis Report ZXjRzkzmhg.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:116865
Start date:15.03.2019
Start time:03:13:41
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 35s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ZXjRzkzmhg.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.winEXE@2/4@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 87.3% (good quality ratio 61.8%)
  • Quality average: 43.4%
  • Quality standard deviation: 37.6%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Execution Graph export aborted for target ZXjRzkzmhg.exe, PID 4600 because there are no executed function

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsObfuscated Files or Information3Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedData Obfuscation
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: ZXjRzkzmhg.exeAvira: Label: TR/Dropper.Gen

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: ZXjRzkzmhg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4600
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 216
PE file does not import any functionsShow sources
Source: ZXjRzkzmhg.exeStatic PE information: No import functions for PE file found
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\ZXjRzkzmhg.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: ZXjRzkzmhg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal52.winEXE@2/4@0/0
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4922.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: ZXjRzkzmhg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\ZXjRzkzmhg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\ZXjRzkzmhg.exe 'C:\Users\user\Desktop\ZXjRzkzmhg.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 216

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\ZXjRzkzmhg.exeCode function: 0_2_00858B16 push edi; iretd 0_2_00858B1D
Source: C:\Users\user\Desktop\ZXjRzkzmhg.exeCode function: 0_2_00859031 push edx; iretd 0_2_0085903C
Source: C:\Users\user\Desktop\ZXjRzkzmhg.exeCode function: 0_2_00857F47 push eax; retf 0_2_00857F4B
Source: C:\Users\user\Desktop\ZXjRzkzmhg.exeCode function: 0_2_00857E55 push 6633B983h; retf 0_2_00857E68
Source: C:\Users\user\Desktop\ZXjRzkzmhg.exeCode function: 0_2_00857E6A push ebp; retf 0_2_00857E6B
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.9321762492

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_usere_davies_desktop_d0c8b1053f2960bc.cdf-ms
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\ZXjRzkzmhg.exeProcess queried: DebugPortJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 116865 Sample: ZXjRzkzmhg.exe Startdate: 15/03/2019 Architecture: WINDOWS Score: 52 13 Antivirus detection for submitted file 2->13 15 PE file has a writeable .text section 2->15 6 ZXjRzkzmhg.exe 2->6         started        process3 process4 8 WerFault.exe 25 10 6->8         started        file5 11 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 8->11 dropped

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
ZXjRzkzmhg.exe11%metadefenderBrowse
ZXjRzkzmhg.exe100%AviraTR/Dropper.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.ZXjRzkzmhg.exe.830000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.ZXjRzkzmhg.exe.830000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.ZXjRzkzmhg.exe.830000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.1.ZXjRzkzmhg.exe.830000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.ZXjRzkzmhg.exe.830000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.