Loading ...

Analysis Report xf-adsk2018_x64v3.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:121012
Start date:04.04.2019
Start time:04:30:46
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:xf-adsk2018_x64v3.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 17.8% (good quality ratio 17%)
  • Quality average: 62.5%
  • Quality standard deviation: 24.7%
HCA Information:
  • Successful, ratio: 78%
  • Number of executed functions: 10
  • Number of non-executed functions: 119
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold560 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsSoftware Packing1Credential DumpingSecurity Software Discovery3Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information2Network SniffingSystem Information Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: xf-adsk2018_x64v3.exevirustotal: Detection: 61%Perma Link
Source: xf-adsk2018_x64v3.exemetadefender: Detection: 37%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 0.0.xf-adsk2018_x64v3.exe.400000.0.unpackAvira: Label: TR/Patched.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00458A70 CryptReleaseContext,0_2_00458A70
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00458AE0 CryptAcquireContextA,__CxxThrowException@8,0_2_00458AE0
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00483770 CryptReleaseContext,0_2_00483770
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00458780 CryptGenRandom,__CxxThrowException@8,0_2_00458780

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00467810 _memset,_memset,GetDlgItemTextA,SetDlgItemTextA,MessageBoxA,MessageBoxA,MessageBoxA,MessageBoxA,MessageBoxA,CreateThread,Sleep,SendMessageA,PostQuitMessage,KiUserCallbackDispatcher,SetDlgItemTextA,SetDlgItemTextA,EndDialog,PostQuitMessage,SetBkMode,SetBkColor,SetTextColor,CreateSolidBrush,NtdllDefWindowProc_A,7328AC50,7328AC50,7328AC50,7328AC50,SetBkMode,SetBkColor,SetTextColor,CreateSolidBrush,0_2_00467810
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0046A7DC0_2_0046A7DC
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004608400_2_00460840
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004010580_2_00401058
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004598700_2_00459870
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004010000_2_00401000
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0047790B0_2_0047790B
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0046B1DF0_2_0046B1DF
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004609A00_2_004609A0
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0047A1AB0_2_0047A1AB
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00461A100_2_00461A10
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0045A2B00_2_0045A2B0
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004723630_2_00472363
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004603000_2_00460300
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004433200_2_00443320
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004773990_2_00477399
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00444C400_2_00444C40
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004264500_2_00426450
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004614100_2_00461410
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004664C00_2_004664C0
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00470C8C0_2_00470C8C
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004624900_2_00462490
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00425DE00_2_00425DE0
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0047CDE90_2_0047CDE9
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004265F00_2_004265F0
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00430D800_2_00430D80
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004426500_2_00442650
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_00477E7D0_2_00477E7D
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004786250_2_00478625
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004796F60_2_004796F6
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0043CF700_2_0043CF70
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0047B7100_2_0047B710
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004507A00_2_004507A0
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: String function: 0047A79B appears 33 times
PE file contains executable resources (Code or Archives)Show sources
Source: xf-adsk2018_x64v3.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
PE file contains strange resourcesShow sources
Source: xf-adsk2018_x64v3.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: xf-adsk2018_x64v3.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal56.evad.winEXE@1/0@0/0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004628E0 FindResourceA,LoadResource,LockResource,SizeofResource,CreateFileA,WriteFile,CloseHandle,CloseHandle,_memset,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,DeleteFileA,0_2_004628E0
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCommand line argument: button0_2_00467CF0
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCommand line argument: button0_2_00467CF0
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCommand line argument: button0_2_00467CF0
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCommand line argument: button0_2_00467CF0
PE file has an executable .text section and no other executable sectionShow sources
Source: xf-adsk2018_x64v3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: xf-adsk2018_x64v3.exevirustotal: Detection: 61%
Source: xf-adsk2018_x64v3.exemetadefender: Detection: 37%

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0046AB15 push ecx; ret 0_2_0046AB28

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0046A7DC RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0046A7DC

Malware Analysis System Evasion:

barindex
Found stalling execution ending in API Sleep callShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeStalling execution: Execution stalls by calling Sleepgraph_0-29586

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0046A035 IsDebuggerPresent,0_2_0046A035
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_004764A4 RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_004764A4
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0046D7AA GetProcessHeap,0_2_0046D7AA
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0046E82B SetUnhandledExceptionFilter,0_2_0046E82B
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0046E85C SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0046E85C

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0045B1F0 cpuid 0_2_0045B1F0
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\xf-adsk2018_x64v3.exeCode function: 0_2_0046A29C GetSystemTimeAsFileTime,__aulldiv,0_2_0046A29C

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 121012 Sample: xf-adsk2018_x64v3.exe Startdate: 04/04/2019 Architecture: WINDOWS Score: 56 8 Multi AV Scanner detection for submitted file 2->8 10 Antivirus detection for unpacked file 2->10 5 xf-adsk2018_x64v3.exe 2->5         started        process3 signatures4 12 Found stalling execution ending in API Sleep call 5->12

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
xf-adsk2018_x64v3.exe62%virustotalBrowse
xf-adsk2018_x64v3.exe38%metadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.xf-adsk2018_x64v3.exe.400000.0.unpack100%AviraTR/Patched.GenDownload File
0.1.xf-adsk2018_x64v3.exe.400000.0.unpack100%AviraHEUR/AGEN.1021074Download File
0.2.xf-adsk2018_x64v3.exe.400000.0.unpack100%AviraHEUR/AGEN.1021074Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.