Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rslogixbuddy.exe

Overview

General Information

Sample name:rslogixbuddy.exe
Analysis ID:1391063
MD5:03f24da6e7ec5e9162d4b7c60fd77740
SHA1:6325073e38c7aa678ed2de526e8610fce710cdec
SHA256:41db1d3979d423bfcc410706f73fed14d7145e609b0a25e8b8858831adaaaf8f
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

.NET source code contains potential unpacker
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • rslogixbuddy.exe (PID: 7256 cmdline: C:\Users\user\Desktop\rslogixbuddy.exe MD5: 03F24DA6E7EC5E9162D4B7C60FD77740)
    • conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\rslogixbuddy.exe, ProcessId: 7256, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpnaoii5.d1s.ps1
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: rslogixbuddy.exeJoe Sandbox ML: detected
Source: rslogixbuddy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: rslogixbuddy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: rslogixbuddy.exe, 00000000.00000002.1689846216.0000000002B3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rslogixbuddy.exe, 00000000.00000002.1689846216.0000000002B6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs rslogixbuddy.exe
Source: rslogixbuddy.exe, 00000000.00000002.1689846216.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs rslogixbuddy.exe
Source: rslogixbuddy.exe, 00000000.00000002.1689846216.00000000029FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.Automation.dllv+ vs rslogixbuddy.exe
Source: rslogixbuddy.exe, 00000000.00000002.1689846216.00000000029FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs rslogixbuddy.exe
Source: rslogixbuddy.exe, 00000000.00000002.1689846216.00000000029FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs rslogixbuddy.exe
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: msisip.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: wshext.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeSection loaded: userenv.dllJump to behavior
Source: rslogixbuddy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: rslogixbuddy.exe, MainApp.csBase64 encoded string: 'UmVtb3ZlLUl0ZW0gLVJlY3Vyc2UgLUZvcmNlIC1Db25maXJtOiRmYWxzZSBDOlxQcm9ncmFtRGF0YVwiUm9ja3dlbGwgQXV0b21hdGlvbiJcIkZhY3RvcnlUYWxrIEFjdGl2YXRpb24iXCA='
Source: classification engineClassification label: mal48.evad.winEXE@2/4@0/0
Source: C:\Users\user\Desktop\rslogixbuddy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rslogixbuddy.exe.logJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Users\user\Desktop\rslogixbuddy.exeMutant created: NULL
Source: C:\Users\user\Desktop\rslogixbuddy.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpnaoii5.d1s.ps1Jump to behavior
Source: rslogixbuddy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rslogixbuddy.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\rslogixbuddy.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\rslogixbuddy.exe C:\Users\user\Desktop\rslogixbuddy.exe
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rslogixbuddy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: rslogixbuddy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rslogixbuddy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: rslogixbuddy.exe, MainModuleUI.cs.Net Code: Prompt
Source: C:\Users\user\Desktop\rslogixbuddy.exeCode function: 0_2_00007FFD9B77D2A5 pushad ; iretd 0_2_00007FFD9B77D2A6
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeMemory allocated: DE0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeMemory allocated: 1A9F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exe TID: 7348Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\rslogixbuddy.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeQueries volume information: C:\Users\user\Desktop\rslogixbuddy.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rslogixbuddy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory31
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion
Security Account Manager12
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Software Packing
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Process Injection
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Obfuscated Files or Information
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1391063 Sample: rslogixbuddy.exe Startdate: 12/02/2024 Architecture: WINDOWS Score: 48 10 .NET source code contains potential unpacker 2->10 12 Machine Learning detection for sample 2->12 6 rslogixbuddy.exe 6 2->6         started        process3 process4 8 conhost.exe 6->8         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.