Loading ...

Play interactive tourEdit tour

Analysis Report 56KHL48745.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:127473
Start date:30.04.2019
Start time:13:03:47
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 5s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:56KHL48745.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.winEXE@4/1@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 95% (good quality ratio 60%)
  • Quality average: 40.8%
  • Quality standard deviation: 35.9%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe
  • Execution Graph export aborted for target 56KHL48745.exe, PID 2904 because there are no executed function
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: 56KHL48745.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Software Packing1Input Capture1Security Software Discovery1Application Deployment SoftwareInput Capture1Data CompressedData Obfuscation
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: 56KHL48745.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.1.56KHL48745.exe.1080000.0.unpackJoe Sandbox ML: detected
Source: 2.2.56KHL48745.exe.1080000.0.unpackJoe Sandbox ML: detected
Source: 2.1.56KHL48745.exe.1080000.0.unpackJoe Sandbox ML: detected
Source: 0.2.56KHL48745.exe.4b00000.2.unpackJoe Sandbox ML: detected
Source: 2.0.56KHL48745.exe.1080000.0.unpackJoe Sandbox ML: detected
Source: 2.0.56KHL48745.exe.1080000.2.unpackJoe Sandbox ML: detected
Source: 0.2.56KHL48745.exe.1080000.0.unpackJoe Sandbox ML: detected
Source: 2.0.56KHL48745.exe.1080000.1.unpackJoe Sandbox ML: detected
Source: 0.0.56KHL48745.exe.1080000.0.unpackJoe Sandbox ML: detected

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 56KHL48745.exe, 00000000.00000002.5132925432.00000000000E0000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2904
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 80
Sample file is different than original file name gathered from version infoShow sources
Source: 56KHL48745.exe, 00000000.00000002.5132925432.00000000000E0000.00000004.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 56KHL48745.exe
Source: 56KHL48745.exe, 00000000.00000002.5142185298.000000000112C000.00000002.sdmpBinary or memory string: OriginalFilenameKHL48745.exe@ vs 56KHL48745.exe
Source: 56KHL48745.exe, 00000000.00000002.5157037961.0000000003D83000.00000004.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs 56KHL48745.exe
Source: 56KHL48745.exe, 00000000.00000002.5157037961.0000000003D83000.00000004.sdmpBinary or memory string: OriginalFilenameIPAFVXYQJONTKMYHXOMWGJLMXGFQRYAMRXPMPRJA_20190430114559434.exe4 vs 56KHL48745.exe
Source: 56KHL48745.exe, 00000000.00000002.5158095232.00000000048C0000.00000002.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 56KHL48745.exe
Source: 56KHL48745.exe, 00000002.00000000.5129576601.000000000112C000.00000002.sdmpBinary or memory string: OriginalFilenameKHL48745.exe@ vs 56KHL48745.exe
Source: 56KHL48745.exeBinary or memory string: OriginalFilenameKHL48745.exe@ vs 56KHL48745.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\56KHL48745.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: 56KHL48745.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal52.winEXE@4/1@0/0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\56KHL48745.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\56KHL48745.exe.logJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 56KHL48745.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\56KHL48745.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\56KHL48745.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\56KHL48745.exe 'C:\Users\user\Desktop\56KHL48745.exe'
Source: unknownProcess created: C:\Users\user\Desktop\56KHL48745.exe C:\Users\user\Desktop\56KHL48745.exe
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 80
Source: C:\Users\user\Desktop\56KHL48745.exeProcess created: C:\Users\user\Desktop\56KHL48745.exe C:\Users\user\Desktop\56KHL48745.exeJump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\56KHL48745.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: 56KHL48745.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\56KHL48745.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 56KHL48745.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: 56KHL48745.exe, 00000000.00000002.5157037961.0000000003D83000.00000004.sdmp
Source: Binary string: mscorrc.pdb source: 56KHL48745.exe, 00000000.00000002.5158095232.00000000048C0000.00000002.sdmp

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.95616254741

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\56KHL48745.exeThread delayed: delay time: 922337203685477Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\56KHL48745.exe TID: 3244Thread sleep time: -922337203685477s >= -30000sJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\56KHL48745.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\56KHL48745.exeProcess queried: DebugPortJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\56KHL48745.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\56KHL48745.exeProcess created: C:\Users\user\Desktop\56KHL48745.exe C:\Users\user\Desktop\56KHL48745.exeJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 127473 Sample: 56KHL48745.exe Startdate: 30/04/2019 Architecture: WINDOWS Score: 52 16 Antivirus or Machine Learning detection for sample 2->16 18 Antivirus or Machine Learning detection for unpacked file 2->18 7 56KHL48745.exe 5 2->7         started        process3 file4 14 C:\Users\user\AppData\...\56KHL48745.exe.log, ASCII 7->14 dropped 10 56KHL48745.exe 7->10         started        process5 process6 12 WerFault.exe 10->12         started       

Simulations

Behavior and APIs

TimeTypeDescription
13:04:43API Interceptor1x Sleep call for process: 56KHL48745.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
56KHL48745.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.1.56KHL48745.exe.1080000.0.unpack100%Joe Sandbox MLDownload File
2.2.56KHL48745.exe.1080000.0.unpack100%Joe Sandbox MLDownload File
2.1.56KHL48745.exe.1080000.0.unpack100%Joe Sandbox MLDownload File
0.2.56KHL48745.exe.4b00000.2.unpack100%Joe Sandbox MLDownload File
2.0.56KHL48745.exe.1080000.0.unpack100%Joe Sandbox MLDownload File
2.0.56KHL48745.exe.1080000.2.unpack100%Joe Sandbox MLDownload File
0.2.56KHL48745.exe.1080000.0.unpack100%Joe Sandbox MLDownload File
2.0.56KHL48745.exe.1080000.1.unpack100%Joe Sandbox MLDownload File
0.0.56KHL48745.exe.1080000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.