Loading ...

Play interactive tourEdit tour

Analysis Report winnit.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:129299
Start date:06.05.2019
Start time:14:14:49
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 13s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:winnit.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 64.7% (good quality ratio 60.4%)
  • Quality average: 74.8%
  • Quality standard deviation: 29%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 23
  • Number of non-executed functions: 78
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsSoftware Packing1Credential DumpingSecurity Software Discovery2Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information2Network SniffingSystem Information Discovery21Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: winnit.exevirustotal: Detection: 48%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.winnit.exe.a90000.0.unpackJoe Sandbox ML: detected
Source: 0.1.winnit.exe.a90000.0.unpackJoe Sandbox ML: detected
Source: 0.2.winnit.exe.a90000.0.unpackJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00ABC881 FindFirstFileExA,0_2_00ABC881
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00ABC881 FindFirstFileExA,0_1_00ABC881

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: winnit.exeString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: winnit.exeString found in binary or memory: http://t2.symcb.com0
Source: winnit.exeString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: winnit.exeString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: winnit.exeString found in binary or memory: http://tl.symcd.com0&
Source: winnit.exeString found in binary or memory: https://www.thawte.com/cps0/
Source: winnit.exeString found in binary or memory: https://www.thawte.com/repository0W

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AAC0D00_2_00AAC0D0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AC00470_2_00AC0047
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA21F00_2_00AA21F0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A9D1D00_2_00A9D1D0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A981100_2_00A98110
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A9E1500_2_00A9E150
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA8AA20_2_00AA8AA2
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA1A300_2_00AA1A30
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AAC38B0_2_00AAC38B
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AB33200_2_00AB3320
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AABB5F0_2_00AABB5F
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA14A00_2_00AA14A0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A9ACD00_2_00A9ACD0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A9B4300_2_00A9B430
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA2C300_2_00AA2C30
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AB6DB90_2_00AB6DB9
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A9B5300_2_00A9B530
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A9D5000_2_00A9D500
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A995600_2_00A99560
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A9F6900_2_00A9F690
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A9AED00_2_00A9AED0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A9FE300_2_00A9FE30
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AABE090_2_00AABE09
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AB06650_2_00AB0665
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AAB7ED0_2_00AAB7ED
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AAB7400_2_00AAB740
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AAC0D00_1_00AAC0D0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AC00470_1_00AC0047
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AA21F00_1_00AA21F0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A9D1D00_1_00A9D1D0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A981100_1_00A98110
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A9E1500_1_00A9E150
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AA8AA20_1_00AA8AA2
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AA1A300_1_00AA1A30
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AAC38B0_1_00AAC38B
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AB33200_1_00AB3320
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AABB5F0_1_00AABB5F
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AA14A00_1_00AA14A0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A9ACD00_1_00A9ACD0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A9B4300_1_00A9B430
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AA2C300_1_00AA2C30
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AB6DB90_1_00AB6DB9
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A9B5300_1_00A9B530
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A9D5000_1_00A9D500
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A995600_1_00A99560
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A9F6900_1_00A9F690
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A9AED00_1_00A9AED0
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A9FE300_1_00A9FE30
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AABE090_1_00AABE09
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AB06650_1_00AB0665
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AAB7ED0_1_00AAB7ED
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AAB7400_1_00AAB740
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\winnit.exeCode function: String function: 00AB229A appears 42 times
Source: C:\Users\user\Desktop\winnit.exeCode function: String function: 00AAA050 appears 86 times
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\winnit.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal52.winEXE@1/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: winnit.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\winnit.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: winnit.exevirustotal: Detection: 48%
PE file contains a mix of data directories often seen in goodwareShow sources
Source: winnit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: winnit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: winnit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: winnit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: winnit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: winnit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: winnit.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: winnit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: winnit.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: winnit.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: winnit.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: winnit.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: winnit.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AAA096 push ecx; ret 0_2_00AAA0A9
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00ABB168 push esp; retf 0_2_00ABB170
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA9AE2 push ecx; ret 0_2_00AA9AF5
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00ABB766 push esp; retf 0_2_00ABB767
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AAA096 push ecx; ret 0_1_00AAA0A9
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00ABB168 push esp; retf 0_1_00ABB170
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AA9AE2 push ecx; ret 0_1_00AA9AF5
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00ABB766 push esp; retf 0_1_00ABB767

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA8AA2 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AA8AA2

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00ABC881 FindFirstFileExA,0_2_00ABC881
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00ABC881 FindFirstFileExA,0_1_00ABC881

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AAE070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AAE070
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AB47FA mov eax, dword ptr fs:[00000030h]0_2_00AB47FA
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AB47FA mov eax, dword ptr fs:[00000030h]0_1_00AB47FA
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00ABF914 GetProcessHeap,0_2_00ABF914
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA9FA2 SetUnhandledExceptionFilter,0_2_00AA9FA2
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AAE070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AAE070
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA95BF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AA95BF
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA9E0F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AA9E0F
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AA9FA2 SetUnhandledExceptionFilter,0_1_00AA9FA2
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AAE070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_1_00AAE070
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AA95BF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_1_00AA95BF
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00AA9E0F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_1_00AA9E0F

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\winnit.exeCode function: EnumSystemLocalesW,0_2_00ABF0BB
Source: C:\Users\user\Desktop\winnit.exeCode function: EnumSystemLocalesW,0_2_00ABF020
Source: C:\Users\user\Desktop\winnit.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00ABF148
Source: C:\Users\user\Desktop\winnit.exeCode function: GetLocaleInfoW,0_2_00ABF398
Source: C:\Users\user\Desktop\winnit.exeCode function: GetLocaleInfoW,0_2_00ABA371
Source: C:\Users\user\Desktop\winnit.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00ABF4C1
Source: C:\Users\user\Desktop\winnit.exeCode function: GetLocaleInfoW,0_2_00ABF5C8
Source: C:\Users\user\Desktop\winnit.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00ABED5D
Source: C:\Users\user\Desktop\winnit.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00ABF695
Source: C:\Users\user\Desktop\winnit.exeCode function: EnumSystemLocalesW,0_2_00AB9FCC
Source: C:\Users\user\Desktop\winnit.exeCode function: EnumSystemLocalesW,0_2_00ABEFD5
Source: C:\Users\user\Desktop\winnit.exeCode function: EnumSystemLocalesW,0_1_00ABF0BB
Source: C:\Users\user\Desktop\winnit.exeCode function: EnumSystemLocalesW,0_1_00ABF020
Source: C:\Users\user\Desktop\winnit.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_1_00ABF148
Source: C:\Users\user\Desktop\winnit.exeCode function: GetLocaleInfoW,0_1_00ABF398
Source: C:\Users\user\Desktop\winnit.exeCode function: GetLocaleInfoW,0_1_00ABA371
Source: C:\Users\user\Desktop\winnit.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_1_00ABF4C1
Source: C:\Users\user\Desktop\winnit.exeCode function: GetLocaleInfoW,0_1_00ABF5C8
Source: C:\Users\user\Desktop\winnit.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_1_00ABED5D
Source: C:\Users\user\Desktop\winnit.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_1_00ABF695
Source: C:\Users\user\Desktop\winnit.exeCode function: EnumSystemLocalesW,0_1_00AB9FCC
Source: C:\Users\user\Desktop\winnit.exeCode function: EnumSystemLocalesW,0_1_00ABEFD5
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AAA0AB cpuid 0_2_00AAA0AB
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00AA8DFB GetSystemTimeAsFileTime,0_2_00AA8DFB

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_2_00A91480 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00A91480
Source: C:\Users\user\Desktop\winnit.exeCode function: 0_1_00A91480 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_1_00A91480

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 129299 Sample: winnit.exe Startdate: 06/05/2019 Architecture: WINDOWS Score: 52 7 Multi AV Scanner detection for submitted file 2->7 9 Antivirus or Machine Learning detection for unpacked file 2->9 5 winnit.exe 2->5         started        process3

Simulations

Behavior and APIs

TimeTypeDescription
14:15:49API Interceptor1x Sleep call for process: winnit.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
winnit.exe49%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.winnit.exe.a90000.0.unpack100%Joe Sandbox MLDownload File
0.1.winnit.exe.a90000.0.unpack100%Joe Sandbox MLDownload File
0.2.winnit.exe.a90000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.