Loading ...

Play interactive tourEdit tour

Analysis Report 43doc13062019.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:141276
Start date:12.06.2019
Start time:22:35:14
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 54s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:43doc13062019.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.evad.winEXE@101/2@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 96
  • Number of non-executed functions: 245
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold720 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts2Execution through API1Registry Run Keys / Startup Folder1Exploitation for Privilege Escalation1Software Packing1Input Capture11System Time Discovery2Remote File Copy1Input Capture11Data Encrypted1Commonly Used Port1
Replication Through Removable MediaGraphical User Interface2Valid Accounts2Valid Accounts2Disabling Security Tools1Network SniffingAccount Discovery1Remote ServicesClipboard Data2Exfiltration Over Other Network MediumRemote File Copy1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesAccess Token Manipulation21Deobfuscate/Decode Files or Information1Input CaptureSecurity Software Discovery21Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareProcess Injection1Obfuscated Files or Information2Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessValid Accounts2Account ManipulationSystem Information Discovery14Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceAccess Token Manipulation21Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskProcess Injection1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\RtkNGUI64\UserOOBEBroker.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 43doc13062019.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.43doc13062019.exe.9c0000.0.unpackJoe Sandbox ML: detected
Source: 0.1.43doc13062019.exe.9c0000.0.unpackJoe Sandbox ML: detected
Source: 0.0.43doc13062019.exe.9c0000.0.unpackJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A24696
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A23A2B
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A23D4E
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00A2C9C7
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2C93C FindFirstFileW,FindClose,0_2_00A2C93C
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A2F200
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A2F35D
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00A2F65E

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00A325E2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00A3425A
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00A3425A
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00A20219

System Summary:

barindex
AutoIt script contains suspicious stringsShow sources
Source: 43doc13062019.exeAutoIt Script: 0x69" ) ) ) LOCAL $LPSHELLCODE = $E ($B (YCRPQVMVX
Source: UserOOBEBroker.exe.0.drAutoIt Script: 0x69" ) ) ) LOCAL $LPSHELLCODE = $E ($B (YCRPQVMVX
Binary is likely a compiled AutoIt script fileShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: This is a third-party compiled AutoIt script.0_2_009C3B4C
Source: 43doc13062019.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: 43doc13062019.exe, 00000000.00000002.608604755.0000000000A4F000.00000002.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: 43doc13062019.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: 43doc13062019.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_3_03D800AD NtOpenSection,NtMapViewOfSection,0_3_03D800AD
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A240B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00A240B1
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A18858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00A18858
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00A2545F
Creates mutexesShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeMutant created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_001
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009CE0600_2_009CE060
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009CE8000_2_009CE800
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A40AE20_2_00A40AE2
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009E33C70_2_009E33C7
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009CFE400_2_009CFE40
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A4804A0_2_00A4804A
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009D41400_2_009D4140
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009E24050_2_009E2405
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009F65220_2_009F6522
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A406650_2_00A40665
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009F267E0_2_009F267E
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009E283A0_2_009E283A
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009D68430_2_009D6843
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009F89DF0_2_009F89DF
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009F6A940_2_009F6A94
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009D8A0E0_2_009D8A0E
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A1EB070_2_00A1EB07
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A28B130_2_00A28B13
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009ECD610_2_009ECD61
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009F70060_2_009F7006
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009D31900_2_009D3190
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009D710E0_2_009D710E
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009C12870_2_009C1287
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009EF4190_2_009EF419
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009D56800_2_009D5680
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009E16C40_2_009E16C4
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009E78D30_2_009E78D3
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009D58C00_2_009D58C0
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009E1BB80_2_009E1BB8
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009EDBB50_2_009EDBB5
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: String function: 009E0D27 appears 65 times
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: String function: 009C7F41 appears 33 times
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: String function: 009E8B40 appears 34 times
PE file contains strange resourcesShow sources
Source: 43doc13062019.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 43doc13062019.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 43doc13062019.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 43doc13062019.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 43doc13062019.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 43doc13062019.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UserOOBEBroker.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UserOOBEBroker.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UserOOBEBroker.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UserOOBEBroker.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UserOOBEBroker.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UserOOBEBroker.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: 43doc13062019.exe, 00000000.00000003.605654169.0000000005D05000.00000004.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs 43doc13062019.exe
Source: 43doc13062019.exe, 00000000.00000003.605654169.0000000005D05000.00000004.sdmpBinary or memory string: OriginalFilenameFNFOSKTWXQTEQDQTQALMVHZQTZDAYLXBTITJLCVS_20190608215415690.exe4 vs 43doc13062019.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeFile read: C:\Users\user\Desktop\43doc13062019.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal72.evad.winEXE@101/2@0/0
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2A2D5 GetLastError,FormatMessageW,0_2_00A2A2D5
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A18713 AdjustTokenPrivileges,CloseHandle,0_2_00A18713
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00A18CC3
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00A2B59E
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A3F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00A3F121
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A386D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00A386D0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009C4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_009C4FE9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeFile created: C:\Users\user\RtkNGUI64Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 43doc13062019.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line arguments (.Net)Show sources
Source: 43doc13062019.exeString found in binary or memory: #comments-start
Source: 43doc13062019.exeString found in binary or memory: EAutoIt v3TaskbarCreatedScript PausedExit/AutoIt3ExecuteScript/AutoIt3ExecuteLine/AutoIt3OutputDebug/ErrorStdOutCMDLINECMDLINERAW>>>AUTOIT NO CMDEXECUTE<<<\AutoIt v3 GUIedit SCRIPTGetNativeSystemInfokernel32.dllrb#comments-end#ce#comments-start#cs
Submission file is bigger than most known malware samplesShow sources
Source: 43doc13062019.exeStatic file information: File size 1437698 > 1048576
PE file contains a mix of data directories often seen in goodwareShow sources
Source: 43doc13062019.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 43doc13062019.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 43doc13062019.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 43doc13062019.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 43doc13062019.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 43doc13062019.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: 43doc13062019.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: 43doc13062019.exe, 00000000.00000003.605654169.0000000005D05000.00000004.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: 43doc13062019.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 43doc13062019.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 43doc13062019.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 43doc13062019.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 43doc13062019.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A3DBDC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_00A3DBDC
PE file contains an invalid checksumShow sources
Source: UserOOBEBroker.exe.0.drStatic PE information: real checksum: 0x106adc should be: 0x2c5c8a
Source: 43doc13062019.exeStatic PE information: real checksum: 0x106adc should be: 0x15f8cd
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009E8B85 push ecx; ret 0_2_009E8B98

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeFile created: C:\Users\user\RtkNGUI64\UserOOBEBroker.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows LoadJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_009C4A35
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00A455FD
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009E33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009E33C7
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\43doc13062019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeDropped PE file which has not been started: C:\Users\user\RtkNGUI64\UserOOBEBroker.exeJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-83814
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-82826
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeAPI coverage: 6.9 %
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A24696
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A23A2B
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A23D4E
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00A2C9C7
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2C93C FindFirstFileW,FindClose,0_2_00A2C93C
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A2F200
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A2F35D
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00A2F65E
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009C4AFE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 43doc13062019.exe, 00000000.00000003.603693050.0000000001639000.00000004.sdmpBinary or memory string: IAJUEFVHGFSW
Source: 43doc13062019.exe, 00000000.00000003.602385676.0000000004241000.00000004.sdmpBinary or memory string: IAJUEFVHGFSW(
Source: 43doc13062019.exe, 00000000.00000003.607932060.000000000485C000.00000004.sdmpBinary or memory string: UROQJRHDJNDCEEXNOHGFS
Program exit pointsShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeAPI call chain: ExitProcess graph end nodegraph_0-82827

Anti Debugging:

barindex
Contains functionality to block mouse and keyboard input (often used to hinder debugging)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A341FD BlockInput,0_2_00A341FD
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_009C3B4C
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A3DBDC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_00A3DBDC
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_3_03D800AD mov ecx, dword ptr fs:[00000030h]0_3_03D800AD
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_3_03D800AD mov eax, dword ptr fs:[00000030h]0_3_03D800AD
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_3_03D8022D mov eax, dword ptr fs:[00000030h]0_3_03D8022D
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_3_03D801CB mov eax, dword ptr fs:[00000030h]0_3_03D801CB
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00A181F7
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009EA364 SetUnhandledExceptionFilter,0_2_009EA364
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009EA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009EA395

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to execute programs as a different userShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A18C93 LogonUserW,0_2_00A18C93
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_009C3B4C
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_009C4A35
Contains functionality to simulate mouse eventsShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A24EF5 mouse_event,0_2_00A24EF5
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00A181F7
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A24C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00A24C03
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 43doc13062019.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 43doc13062019.exeBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009E886B cpuid 0_2_009E886B
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009F50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_009F50D7
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A02230 GetUserNameW,0_2_00A02230
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009F418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_009F418A
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_009C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009C4AFE

Stealing of Sensitive Information:

barindex
OS version to string mapping found (often used in BOTs)Show sources
Source: 43doc13062019.exeBinary or memory string: WIN_81
Source: 43doc13062019.exeBinary or memory string: WIN_XP
Source: 43doc13062019.exeBinary or memory string: WIN_XPe
Source: 43doc13062019.exeBinary or memory string: WIN_VISTA
Source: 43doc13062019.exeBinary or memory string: WIN_7
Source: 43doc13062019.exeBinary or memory string: WIN_8
Source: 43doc13062019.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00A36596
Source: C:\Users\user\Desktop\43doc13062019.exeCode function: 0_2_00A36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00A36A5A

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 141276 Sample: 43doc13062019.exe Startdate: 12/06/2019 Architecture: WINDOWS Score: 72 13 Antivirus or Machine Learning detection for dropped file 2->13 15 Antivirus or Machine Learning detection for sample 2->15 17 AutoIt script contains suspicious strings 2->17 19 2 other signatures 2->19 5 43doc13062019.exe 1 3 2->5         started        process3 file4 9 C:\Users\user\RtkNGUI64\UserOOBEBroker.exe, PE32 5->9 dropped 11 C:\...\UserOOBEBroker.exe:Zone.Identifier, ASCII 5->11 dropped 21 Creates an undocumented autostart registry key 5->21 23 Binary is likely a compiled AutoIt script file 5->23 signatures5

Simulations

Behavior and APIs

TimeTypeDescription
22:36:45API Interceptor1x Sleep call for process: 43doc13062019.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
43doc13062019.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\RtkNGUI64\UserOOBEBroker.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.43doc13062019.exe.9c0000.0.unpack100%Joe Sandbox MLDownload File
0.1.43doc13062019.exe.9c0000.0.unpack100%Joe Sandbox MLDownload File
0.0.43doc13062019.exe.9c0000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.