Windows
Analysis Report
SGIART9.exe
Overview
General Information
Detection
Score: | 3 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
- SGIART9.exe (PID: 3852 cmdline:
"C:\Users\ user\Deskt op\SGIART9 .exe" MD5: 0A404629A2A8A1185C3048D164F7ECA2)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Code function: | 1_2_00401198 | |
Source: | Code function: | 1_2_00401244 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Code function: | 1_2_004154C0 | |
Source: | Code function: | 1_2_00415B71 | |
Source: | Code function: | 1_2_00415B71 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Information Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | ReversingLabs | |||
3% | Virustotal | Browse |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1417156 |
Start date and time: | 2024-03-28 17:19:00 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 0s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SGIART9.exe |
Detection: | CLEAN |
Classification: | clean3.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target SGIART9.exe, PID 3852 because there are no executed function
File type: | |
Entropy (8bit): | 5.593662939621002 |
TrID: |
|
File name: | SGIART9.exe |
File size: | 1'283'072 bytes |
MD5: | 0a404629a2a8a1185c3048d164f7eca2 |
SHA1: | c40fee8f8a0247359a05c9db8be6fb66ca65b452 |
SHA256: | 5f7a67bd387dfc4c9d750cdc0ced3e4efb37dcc918a0ce4869f3561b88944873 |
SHA512: | c8b41c996f66af9df25ec9b313c17d8ff7abe68b2b53e118e4cc467dc1090a5c9b90650ffd0ee7b51ed02803083970dac1f70a0230d7654e3b76e36c15f96e75 |
SSDEEP: | 24576:pIzhlr97NFmJjPHW0iQpLmGJnIHgtzQyVgodt:psqjcGJIHgtz/Vgo7 |
TLSH: | 4855F67296279A17C5D32B70EB8BC1101D2D3D8E7E33C653B1287269AA33102AD567FD |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)F.................0...................@....@........................................................................ |
Icon Hash: | 9299ececb6a6acd2 |
Entrypoint: | 0x401198 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x46290CC4 [Fri Apr 20 18:56:04 2007 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 74f34a3b1e38a361829bcf0cdb946308 |
Instruction |
---|
push 00415C70h |
call 00007F273D4A9985h |
add byte ptr [eax], al |
les edx, fword ptr [ecx+41h] |
add byte ptr [ecx+edx*2+51940041h], dh |
inc ecx |
add byte ptr [ecx+edx*2+41h], ah |
add byte ptr [ebx], al |
add byte ptr [eax], al |
add byte ptr [ebx-251676EAh], dh |
inc ebp |
sbb edx, dword ptr [eax] |
mov cl, 76h |
or byte ptr [eax], al |
sub esi, dword ptr [ebx] |
outsd |
pushad |
sub eax, 10000300h |
add byte ptr [eax], al |
add ah, dh |
adc eax, dword ptr [eax+00h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
mov byte ptr [edx], 0000004Dh |
add byte ptr [ebx], al |
add byte ptr [eax], al |
add byte ptr [edx-251676EAh], dh |
inc ebp |
sbb edx, dword ptr [eax] |
mov cl, 76h |
or byte ptr [eax], al |
sub esi, dword ptr [ebx] |
outsd |
pushad |
inc edx |
add byte ptr [ebx], al |
add byte ptr [eax], dl |
add byte ptr [eax], al |
add byte ptr [ecx+edx+00000040h], dh |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
fild word ptr [edx] |
dec ebp |
add byte ptr [ebx], al |
add byte ptr [eax], al |
add byte ptr [edx-251676EAh], dh |
inc ebp |
sbb edx, dword ptr [eax] |
mov cl, 76h |
or byte ptr [eax], al |
sub esi, dword ptr [ebx] |
outsd |
pushad |
xor al, byte ptr [eax] |
add eax, dword ptr [eax] |
adc byte ptr [eax], al |
add byte ptr [eax], al |
test byte ptr [edi], dl |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [esi], bl |
add eax, 0003004Dh |
add byte ptr [eax], al |
mov bl, 16h |
mov ecx, ebp |
fiadd dword ptr [ebp+1Bh] |
adc byte ptr [ecx+2B000876h], dh |
xor ebp, dword ptr [edi+60h] |
push ss |
add byte ptr [ebx], al |
add byte ptr [eax], dl |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x131000 | 0x28 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x125000 | 0xbd78 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x132000 | 0xa35c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x123900 | 0xb | .text |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x240 | 0x1c | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x123000 | 0x122a00 | db81d166cb95214200d0ab65c40ee0d8 | False | 0.2939180107526882 | data | 5.481469643936214 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.bss | 0x124000 | 0x1000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x125000 | 0xc000 | 0xbe00 | 503797293ad38623cf7f1fc4cd146438 | False | 0.35047286184210524 | data | 4.926783178900168 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.idata | 0x131000 | 0x1000 | 0x400 | 0110ab2b27565333dd80968c69c835f7 | False | 0.4091796875 | data | 3.6667890631988054 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x132000 | 0xb000 | 0xa400 | 73949eab857563b837365fcea5261ec9 | False | 0.7158679496951219 | data | 6.465663215252826 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
TYPELIB | 0x126700 | 0x5588 | data | 0.44172451589331385 | ||
_IID_COLORPALL | 0x126610 | 0x14 | data | 1.45 | ||
_IID_FONTADD | 0x126570 | 0x14 | data | 1.45 | ||
_IID_FORM1 | 0x1266ec | 0x14 | data | 1.45 | ||
_IID_FORM2 | 0x1266c4 | 0x14 | data | 1.4 | ||
_IID_FORM3 | 0x1266b0 | 0x14 | data | 1.45 | ||
_IID_FORM4 | 0x12669c | 0x14 | data | 1.45 | ||
_IID_FORM5 | 0x12664c | 0x14 | data | 1.45 | ||
_IID_FORMATT | 0x126598 | 0x14 | data | 1.45 | ||
_IID_FORMDIST | 0x1265d4 | 0x14 | data | 1.45 | ||
_IID_FORMDUBLE5 | 0x1265c0 | 0x14 | data | 1.45 | ||
_IID_FORMFONTIM | 0x126688 | 0x14 | data | 1.45 | ||
_IID_FORMGRANGLE | 0x126584 | 0x14 | data | 1.4 | ||
_IID_FORMGRID | 0x126674 | 0x14 | data | 1.4 | ||
_IID_FORMHWY | 0x1265ac | 0x14 | data | 1.45 | ||
_IID_FORMIMPORT | 0x126660 | 0x14 | data | 1.4 | ||
_IID_FORMOPEN | 0x126638 | 0x14 | data | 1.4 | ||
_IID_FORMPLOT | 0x12655c | 0x14 | data | 1.4 | ||
_IID_FORMREPEAT | 0x1265fc | 0x14 | data | 1.45 | ||
_IID_FORMSP | 0x126624 | 0x14 | data | 1.45 | ||
_IID_FRMABOUT | 0x1266d8 | 0x14 | data | 1.4 | ||
_IID_FRMEDITOR | 0x1265e8 | 0x14 | data | 1.4 | ||
_IID_FRMSPELL | 0x126534 | 0x14 | data | 1.45 | ||
_IID_FRMWAITP | 0x126548 | 0x14 | data | 1.45 | ||
RT_ICON | 0x12624c | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.23387096774193547 | ||
RT_STRING | 0x1308a8 | 0x4d0 | data | 0.3952922077922078 | ||
RT_STRING | 0x130474 | 0x434 | data | 0.4191449814126394 | ||
RT_STRING | 0x130118 | 0x35c | data | 0.4441860465116279 | ||
RT_STRING | 0x12fbd8 | 0x540 | data | 0.3645833333333333 | ||
RT_STRING | 0x12f5a0 | 0x638 | data | 0.39824120603015073 | ||
RT_STRING | 0x12f2e0 | 0x2c0 | data | 0.3252840909090909 | ||
RT_STRING | 0x12f000 | 0x2e0 | data | 0.296195652173913 | ||
RT_STRING | 0x12eb94 | 0x46c | data | 0.19964664310954064 | ||
RT_STRING | 0x12e7a0 | 0x3f4 | data | 0.27964426877470355 | ||
RT_STRING | 0x12e6cc | 0xd4 | data | 0.5094339622641509 | ||
RT_STRING | 0x12e5f8 | 0xd4 | data | 0.47641509433962265 | ||
RT_STRING | 0x12e258 | 0x3a0 | data | 0.3566810344827586 | ||
RT_STRING | 0x12c754 | 0xf0 | data | 0.5375 | ||
RT_STRING | 0x12bc88 | 0x98 | data | 0.5657894736842105 | ||
RT_STRING | 0x12e170 | 0xe8 | data | 0.49137931034482757 | ||
RT_STRING | 0x12dd0c | 0x84 | data | 0.5606060606060606 | ||
RT_STRING | 0x12e118 | 0x58 | data | 0.5227272727272727 | ||
RT_STRING | 0x12dde0 | 0x338 | data | 0.279126213592233 | ||
RT_STRING | 0x12dd90 | 0x50 | data | 0.6875 | ||
RT_STRING | 0x12db20 | 0x1ec | data | 0.45528455284552843 | ||
RT_STRING | 0x12ce0c | 0x170 | data | 0.5652173913043478 | ||
RT_STRING | 0x12cf7c | 0xc8 | data | 0.55 | ||
RT_STRING | 0x12d7b0 | 0x370 | data | 0.44545454545454544 | ||
RT_STRING | 0x12d49c | 0x314 | data | 0.45685279187817257 | ||
RT_STRING | 0x12d044 | 0x458 | data | 0.3902877697841727 | ||
RT_STRING | 0x12bd20 | 0x3c4 | data | 0.3983402489626556 | ||
RT_STRING | 0x12c844 | 0x298 | data | 0.42771084337349397 | ||
RT_STRING | 0x12cadc | 0x330 | data | 0.4375 | ||
RT_STRING | 0x12c534 | 0x220 | data | 0.45588235294117646 | ||
RT_STRING | 0x12c2d8 | 0x25c | data | 0.4602649006622517 | ||
RT_STRING | 0x12c0e4 | 0x1f4 | data | 0.524 | ||
RT_GROUP_ICON | 0x126238 | 0x14 | data | 1.25 | ||
RT_VERSION | 0x126018 | 0x220 | data | 0.5110294117647058 |
DLL | Import |
---|---|
VB40032.DLL |
Target ID: | 1 |
Start time: | 17:19:55 |
Start date: | 28/03/2024 |
Path: | C:\Users\user\Desktop\SGIART9.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'283'072 bytes |
MD5 hash: | 0A404629A2A8A1185C3048D164F7ECA2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Function 00401198 Relevance: 3.8, APIs: 1, Instructions: 2320COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |