Windows
Analysis Report
UmiDataServer v1.0.1.1.exe
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
- System is w10x64_ra
- UmiDataServer v1.0.1.1.exe (PID: 2624 cmdline:
"C:\Users\ user\Deskt op\UmiData Server v1. 0.1.1.exe" MD5: 75C876A06F5679E880E91897C83789B1) - UmiDataServer v1.0.1.1.tmp (PID: 1544 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-IUS S4.tmp\Umi DataServer v1.0.1.1. tmp" /SL5= "$4036E,46 40132,8325 12,C:\User s\user\Des ktop\UmiDa taServer v 1.0.1.1.ex e" MD5: B55AB2B088236C1B8E96319049824AAA)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: |
Source: | File created: |
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | Key opened: |
Source: | Key value created or modified: |
Source: | File read: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Key value created or modified: |
Source: | Window found: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 2 System Owner/User Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1417094 |
Start date and time: | 2024-03-28 15:54:09 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Sample name: | UmiDataServer v1.0.1.1.exe |
Detection: | CLEAN |
Classification: | clean2.winEXE@3/2@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
Process: | C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 4.720366600008286 |
Encrypted: | false |
SSDEEP: | |
MD5: | E4211D6D009757C078A9FAC7FF4F03D4 |
SHA1: | 019CD56BA687D39D12D4B13991C9A42EA6BA03DA |
SHA-256: | 388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 |
SHA-512: | 17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3199488 |
Entropy (8bit): | 6.325051083907163 |
Encrypted: | false |
SSDEEP: | |
MD5: | B55AB2B088236C1B8E96319049824AAA |
SHA1: | 6A86BB9499B9753C17BFEFB27C0902A4BBD0A6D2 |
SHA-256: | EA28E21CD84A550B9390B3AE8663A497B4663B7233082230DD6B0812A01F7FAF |
SHA-512: | DD742F5B7A64F41977F81FA3E07F1B984D9D3C55B8C4F0C9BEE76F94ECB11A4830BDE2DDF25643FC48A1E9A16D1C7D04F249D35A16DEC475DD2F23C4C52A32E7 |
Malicious: | false |
Reputation: | unknown |
Preview: |
File type: | |
Entropy (8bit): | 7.906497587104928 |
TrID: |
|
File name: | UmiDataServer v1.0.1.1.exe |
File size: | 5'481'832 bytes |
MD5: | 75c876a06f5679e880e91897c83789b1 |
SHA1: | 13703a9cac7af619e4e79f3dde2dc7890277b448 |
SHA256: | 258fd554afd7aaf894c069a35b2e1ba65fb9f0dd5bb11f9573d800088f18277e |
SHA512: | c0a494c82b46f1c126d4e228d8255621f33c4f18732afac522c05d55e587d956e3249c16a9a548228dde24413d2eb3d3164f4cf480b9701a06ba06d160a5c5ad |
SSDEEP: | 98304:ykLHPnPTX9HH3jYFaJRZtQrgQp9rrtyomB1JlptFQeK4t29s4C1eH9Q:dXTFH3C5htyomhlptW4t5o9Q |
TLSH: | 8546123FF298A13EC4AE1A3205B39250997BBE61781A8C1E07FC744DCF765601E3B656 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | 0c0c2d33ceec80aa |
Entrypoint: | 0x4b5eec |
Entrypoint Section: | .itext |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | e569e6f445d32ba23766ad67d1e3787f |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFA4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-3Ch], eax |
mov dword ptr [ebp-40h], eax |
mov dword ptr [ebp-5Ch], eax |
mov dword ptr [ebp-30h], eax |
mov dword ptr [ebp-38h], eax |
mov dword ptr [ebp-34h], eax |
mov dword ptr [ebp-2Ch], eax |
mov dword ptr [ebp-28h], eax |
mov dword ptr [ebp-14h], eax |
mov eax, 004B14B8h |
call 00007F740476AAD5h |
xor eax, eax |
push ebp |
push 004B65E2h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 004B659Eh |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [004BE634h] |
call 00007F740480D5C7h |
call 00007F740480D11Ah |
lea edx, dword ptr [ebp-14h] |
xor eax, eax |
call 00007F7404780574h |
mov edx, dword ptr [ebp-14h] |
mov eax, 004C1D84h |
call 00007F74047656C7h |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [004C1D84h] |
mov dl, 01h |
mov eax, dword ptr [004238ECh] |
call 00007F74047816F7h |
mov dword ptr [004C1D88h], eax |
xor edx, edx |
push ebp |
push 004B654Ah |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
call 00007F740480D64Fh |
mov dword ptr [004C1D90h], eax |
mov eax, dword ptr [004C1D90h] |
cmp dword ptr [eax+0Ch], 01h |
jne 00007F740481386Ah |
mov eax, dword ptr [004C1D90h] |
mov edx, 00000028h |
call 00007F7404781FECh |
mov edx, dword ptr [004C1D90h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xc4000 | 0x9a | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc2000 | 0xfdc | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc7000 | 0x11000 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xc6000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc22f4 | 0x254 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0xc3000 | 0x1a4 | .didata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xb39e4 | 0xb3a00 | 43af0a9476ca224d8e8461f1e22c94da | False | 0.34525867693110646 | data | 6.357635049994181 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0xb5000 | 0x1688 | 0x1800 | 185e04b9a1f554e31f7f848515dc890c | False | 0.54443359375 | data | 5.971425428435973 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0xb7000 | 0x37a4 | 0x3800 | cab2107c933b696aa5cf0cc6c3fd3980 | False | 0.36097935267857145 | data | 5.048648594372454 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0xbb000 | 0x6de8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc2000 | 0xfdc | 0x1000 | e7d1635e2624b124cfdce6c360ac21cd | False | 0.3798828125 | data | 5.029087481102678 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didata | 0xc3000 | 0x1a4 | 0x200 | 8ced971d8a7705c98b173e255d8c9aa7 | False | 0.345703125 | data | 2.7509822285969876 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0xc4000 | 0x9a | 0x200 | 8d4e1e508031afe235bf121c80fd7d5f | False | 0.2578125 | data | 1.877162954504408 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.tls | 0xc5000 | 0x18 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xc6000 | 0x5d | 0x200 | 8f2f090acd9622c88a6a852e72f94e96 | False | 0.189453125 | data | 1.3838943752217987 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0xc7000 | 0x11000 | 0x11000 | f1d6259d63d2064f227baadaf623edbc | False | 0.18622185202205882 | data | 3.694167466103365 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xc7678 | 0xa68 | Device independent bitmap graphic, 64 x 128 x 4, image size 2048 | English | United States | 0.1174924924924925 |
RT_ICON | 0xc80e0 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.15792682926829268 |
RT_ICON | 0xc8748 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.23387096774193547 |
RT_ICON | 0xc8a30 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.39864864864864863 |
RT_ICON | 0xc8b58 | 0x1628 | Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors | English | United States | 0.08339210155148095 |
RT_ICON | 0xca180 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.1023454157782516 |
RT_ICON | 0xcb028 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.10649819494584838 |
RT_ICON | 0xcb8d0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.10838150289017341 |
RT_ICON | 0xcbe38 | 0x12e5 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.8712011577424024 |
RT_ICON | 0xcd120 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.05668398677373642 |
RT_ICON | 0xd1348 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.08475103734439834 |
RT_ICON | 0xd38f0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.09920262664165103 |
RT_ICON | 0xd4998 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.2047872340425532 |
RT_STRING | 0xd4e00 | 0x360 | data | 0.34375 | ||
RT_STRING | 0xd5160 | 0x260 | data | 0.3256578947368421 | ||
RT_STRING | 0xd53c0 | 0x45c | data | 0.4068100358422939 | ||
RT_STRING | 0xd581c | 0x40c | data | 0.3754826254826255 | ||
RT_STRING | 0xd5c28 | 0x2d4 | data | 0.39226519337016574 | ||
RT_STRING | 0xd5efc | 0xb8 | data | 0.6467391304347826 | ||
RT_STRING | 0xd5fb4 | 0x9c | data | 0.6410256410256411 | ||
RT_STRING | 0xd6050 | 0x374 | data | 0.4230769230769231 | ||
RT_STRING | 0xd63c4 | 0x398 | data | 0.3358695652173913 | ||
RT_STRING | 0xd675c | 0x368 | data | 0.3795871559633027 | ||
RT_STRING | 0xd6ac4 | 0x2a4 | data | 0.4275147928994083 | ||
RT_RCDATA | 0xd6d68 | 0x10 | data | 1.5 | ||
RT_RCDATA | 0xd6d78 | 0x2c4 | data | 0.6384180790960452 | ||
RT_RCDATA | 0xd703c | 0x2c | data | 1.2045454545454546 | ||
RT_GROUP_ICON | 0xd7068 | 0xbc | data | English | United States | 0.6170212765957447 |
RT_VERSION | 0xd7124 | 0x584 | data | English | United States | 0.27407932011331443 |
RT_MANIFEST | 0xd76a8 | 0x7a8 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.3377551020408163 |
DLL | Import |
---|---|
kernel32.dll | GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale |
comctl32.dll | InitCommonControls |
version.dll | GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW |
user32.dll | CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW |
oleaut32.dll | SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate |
netapi32.dll | NetWkstaGetInfo, NetApiBufferFree |
advapi32.dll | ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW |
Name | Ordinal | Address |
---|---|---|
TMethodImplementationIntercept | 3 | 0x4541a8 |
__dbk_fcall_wrapper | 2 | 0x40d0a0 |
dbkFCallWrapperAddr | 1 | 0x4be63c |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |