Loading ...

Play interactive tourEdit tour

Analysis Report untitled.bin

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:126984
Start date:29.04.2019
Start time:00:51:53
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 41s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:untitled.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.rans.expl.evad.winEXE@2/4@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 74.7% (good quality ratio 72%)
  • Quality average: 84.5%
  • Quality standard deviation: 23.9%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 35
  • Number of non-executed functions: 78
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, sc.exe, WerFault.exe, TiWorker.exe, wermgr.exe, SIHClient.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, svchost.exe, TrustedInstaller.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold640 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Disabling Security Tools1Credential DumpingProcess Discovery3Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureSecurity Software Discovery13Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery33Logon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: untitled.exevirustotal: Detection: 50%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_004044E2 CryptBinaryToStringW,CryptBinaryToStringW,0_2_004044E2
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00404481 CryptStringToBinaryW,CryptStringToBinaryW,0_2_00404481
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00403E94 CryptAcquireContextW,CryptGenRandom,0_2_00403E94

Exploits:

barindex
Accesses ntoskrnl, likely to find offsets for exploitsShow sources
Source: C:\Users\user\Desktop\untitled.exeFile opened: C:\Windows\system32\ntkrnlmp.exeJump to behavior

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00405971 FindFirstFileW,FindNextFileW,FindClose,0_2_00405971

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: untitled.exe, 00000000.00000002.4989225156.0000000003169000.00000004.sdmpString found in binary or memory: https://www.windows.com/stopcodeYour

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_004032E0 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkMode,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextW,SystemParametersInfoW,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,0_2_004032E0

Protection of GUI:

barindex
Contains functionality to create a new desktopShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00607D83 GetCurrentProcess,SetPriorityClass,RtlAllocateHeap,HeapCreate,CreateThread,SetThreadPriority,SetThreadAffinityMask,CreateDesktopA,ResumeThread,WaitForSingleObject,Sleep,TerminateThread,RtlFreeHeap,CloseDesktop,Sleep,CloseHandle,TlsFree,0_2_00607D83

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_006065F5 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,memcpy,NtFreeVirtualMemory,0_2_006065F5
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_0060674B NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,CreateThread,WaitForSingleObject,TerminateThread,GetExitCodeThread,0_2_0060674B
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00606CF9 TlsGetValue,GetCurrentThreadId,NtCallbackReturn,0_2_00606CF9
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00606CC7 NtCallbackReturn,0_2_00606CC7
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00606D45 NtCallbackReturn,0_2_00606D45
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00606E2B NtCallbackReturn,TlsGetValue,GetCurrentThreadId,SetActiveWindow,SendMessageA,DestroyWindow,0_2_00606E2B
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00607321 TlsGetValue,NtdllDefWindowProc_A,PostQuitMessage,CreateWindowExA,GetClassLongA,SetClassLongA,0_2_00607321
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_0060770D TlsSetValue,SetThreadDesktop,RegisterClassA,RegisterClassA,CreateWindowExA,NtdllDefWindowProc_A,RegisterClassA,CreateWindowExA,GetCurrentThreadId,SetWinEventHook,CreateMenu,CreateMenu,AppendMenuA,CreateMenu,AppendMenuA,SetMenuInfo,Sleep,ShowWindow,memset,SetClassLongW,SetClassLongW,Sleep,PostMessageA,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,UnhookWinEvent,0_2_0060770D
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00607317 NtdllDefWindowProc_A,0_2_00607317
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_006073A2 _snwprintf,RtlInitUnicodeString,CreateEventA,NtCreateTimer,NtSetTimer,SleepEx,WaitForSingleObject,0_2_006073A2
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00606B98 NtdllDefWindowProc_A,RegisterClassA,CreateWindowExA,CreateWindowExA,CreateWindowExA,0_2_00606B98
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\untitled.exeMutant created: \Sessions\1\BaseNamedObjects\Global\DAE678E1-967E-6A19-D564-F7FCA6E7AEBC
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1472
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00409B600_2_00409B60
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_004069930_2_00406993
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00408ECB0_2_00408ECB
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_004146B10_2_004146B1
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00406EB60_2_00406EB6
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_004067350_2_00406735
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_0040F3B80_2_0040F3B8
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_006041680_2_00604168
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_004013930_1_00401393
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_004026100_1_00402610
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_004198A40_1_004198A4
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_0040A2C00_1_0040A2C0
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_004022F80_1_004022F8
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_004153450_1_00415345
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_004193600_1_00419360
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_00414B650_1_00414B65
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_0040EB110_1_0040EB11
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_0041B4D10_1_0041B4D1
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_0041A4E00_1_0041A4E0
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_00419DE80_1_00419DE8
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_0040260B0_1_0040260B
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_004146900_1_00414690
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_004157650_1_00415765
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_00414F390_1_00414F39
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: String function: 00409DF4 appears 78 times
Source: C:\Users\user\Desktop\untitled.exeCode function: String function: 0040F0D8 appears 36 times
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 660
Sample file is different than original file name gathered from version infoShow sources
Source: untitled.exe, 00000000.00000000.4912188045.0000000003A0C000.00000004.sdmpBinary or memory string: OriginalFilenamentkrnlmp.exej% vs untitled.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\untitled.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal64.rans.expl.evad.winEXE@2/4@0/0
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00403798 GetDriveTypeW,GetDiskFreeSpaceExW,0_2_00403798
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00403E1D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,0_2_00403E1D
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8376.tmpJump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\untitled.exeCommand line argument: bA0_1_00416230
PE file has an executable .text section and no other executable sectionShow sources
Source: untitled.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\untitled.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DisplayJump to behavior
Sample is known by AntivirusShow sources
Source: untitled.exevirustotal: Detection: 50%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\untitled.exe 'C:\Users\user\Desktop\untitled.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 660
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\untitled.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: ntkrnlmp.pdbUGP source: untitled.exe, 00000000.00000002.4989225156.0000000003169000.00000004.sdmp
Source: Binary string: ntkrnlmp.pdb source: untitled.exe, 00000000.00000002.4989225156.0000000003169000.00000004.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_006000DA LoadLibraryA,GetProcAddress,0_2_006000DA
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00418EFB push 0000006Ah; retf 0_2_00418FD4
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00418F63 push 0000006Ah; retf 0_2_00418FD4
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00418F65 push 0000006Ah; retf 0_2_00418FD4
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_0040F11D push ecx; ret 0_1_0040F130
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_0040B92A push ecx; ret 0_1_0040B93D
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_00409DF4 push eax; ret 0_1_00409E12

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_004042EC0_2_004042EC
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Users\user\Desktop\untitled.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-7709
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_0040CCE1 rdtsc 0_2_0040CCE1
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\untitled.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-7905
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\untitled.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-7898
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00405971 FindFirstFileW,FindNextFileW,FindClose,0_2_00405971
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00402C26 GetSystemInfo,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,UnmapViewOfFile,DeleteFileW,0_2_00402C26
Program exit pointsShow sources
Source: C:\Users\user\Desktop\untitled.exeAPI call chain: ExitProcess graph end nodegraph_0-7998
Source: C:\Users\user\Desktop\untitled.exeAPI call chain: ExitProcess graph end nodegraph_0-7750
Source: C:\Users\user\Desktop\untitled.exeAPI call chain: ExitProcess graph end nodegraph_0-7781
Source: C:\Users\user\Desktop\untitled.exeAPI call chain: ExitProcess graph end nodegraph_0-7745
Source: C:\Users\user\Desktop\untitled.exeAPI call chain: ExitProcess graph end nodegraph_0-7706
Queries a list of all running driversShow sources
Source: C:\Users\user\Desktop\untitled.exeSystem information queried: ModuleInformationJump to behavior
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_desktop_3f3714ea22baf985.cdf-ms
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_0040CCE1 rdtsc 0_2_0040CCE1
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_0040B8B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_1_0040B8B2
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_006000DA LoadLibraryA,GetProcAddress,0_2_006000DA
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00414855 mov esi, dword ptr fs:[00000030h]0_2_00414855
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00416C05 mov eax, dword ptr fs:[00000030h]0_2_00416C05
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_0041383C mov eax, dword ptr fs:[00000030h]0_2_0041383C
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_0040B195 mov esi, dword ptr fs:[00000030h]0_2_0040B195
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_0040B240 mov esi, dword ptr fs:[00000030h]0_2_0040B240
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_0040B24C mov esi, dword ptr fs:[00000030h]0_2_0040B24C
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00403E00 mov ecx, dword ptr fs:[00000030h]0_2_00403E00
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00403B48 mov eax, dword ptr fs:[00000030h]0_2_00403B48
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_006085EC mov eax, dword ptr fs:[00000030h]0_2_006085EC
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00600005 mov esi, dword ptr fs:[00000030h]0_2_00600005
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_0040354E HeapCreate,GetProcessHeap,0_2_0040354E
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_00410F37 SetUnhandledExceptionFilter,0_1_00410F37
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_004090EA _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_1_004090EA
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_0040B8B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_1_0040B8B2
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_00409F58 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_1_00409F58
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_0040B79B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_1_0040B79B

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: untitled.exe, 00000000.00000000.4858373800.0000000000D90000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: untitled.exe, 00000000.00000000.4858373800.0000000000D90000.00000002.sdmpBinary or memory string: Progman
Source: untitled.exe, 00000000.00000000.4858373800.0000000000D90000.00000002.sdmpBinary or memory string: Program ManagerUR

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\untitled.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,0_1_00412840
Source: C:\Users\user\Desktop\untitled.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_1_0041405D
Source: C:\Users\user\Desktop\untitled.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,0_1_004188E0
Source: C:\Users\user\Desktop\untitled.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,0_1_004140F5
Source: C:\Users\user\Desktop\untitled.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,0_1_0041389A
Source: C:\Users\user\Desktop\untitled.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_1_00414169
Source: C:\Users\user\Desktop\untitled.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,0_1_00418914
Source: C:\Users\user\Desktop\untitled.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_1_00418A53
Source: C:\Users\user\Desktop\untitled.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_1_0041322C
Source: C:\Users\user\Desktop\untitled.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,0_1_00413AF2
Source: C:\Users\user\Desktop\untitled.exeCode function: GetLocaleInfoA,0_1_0041235B
Source: C:\Users\user\Desktop\untitled.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_1_0041433B
Source: C:\Users\user\Desktop\untitled.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,0_1_00418BF0
Source: C:\Users\user\Desktop\untitled.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_1_004143FC
Source: C:\Users\user\Desktop\untitled.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_1_00414463
Source: C:\Users\user\Desktop\untitled.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_1_0041449F
Source: C:\Users\user\Desktop\untitled.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,0_1_0040AD07
Source: C:\Users\user\Desktop\untitled.exeCode function: GetLocaleInfoA,0_1_0040D67E
Source: C:\Users\user\Desktop\untitled.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,0_1_00413F46
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00403644 cpuid 0_2_00403644
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_1_00411BE2 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_1_00411BE2
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_00403BEE GetUserNameW,0_2_00403BEE
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\untitled.exeCode function: 0_2_006080BC GetSystemInfo,memset,GetCurrentProcess,IsWow64Process,RtlGetVersion,0_2_006080BC

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 126984 Sample: untitled.bin Startdate: 29/04/2019 Architecture: WINDOWS Score: 64 14 Multi AV Scanner detection for submitted file 2->14 6 untitled.exe 2->6         started        process3 signatures4 16 Found evasive API chain (may stop execution after checking mutex) 6->16 18 Accesses ntoskrnl, likely to find offsets for exploits 6->18 20 Contains functionalty to change the wallpaper 6->20 22 Contains functionality to detect sleep reduction / modifications 6->22 9 WerFault.exe 25 10 6->9         started        process5 file6 12 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->12 dropped

Simulations

Behavior and APIs

TimeTypeDescription
00:53:07API Interceptor1x Sleep call for process: untitled.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
untitled.exe50%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.untitled.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.3.untitled.exe.650000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.untitled.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.untitled.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.