Windows
Analysis Report
Nexthink_Collector_Installer_Silent.exe
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
Analysis Advice
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
- System is w10x64
- Nexthink_Collector_Installer_Silent.exe (PID: 7316 cmdline:
"C:\Users\ user\Deskt op\Nexthin k_Collecto r_Installe r_Silent.e xe" MD5: A734E0EA93D16C673272CD373DF1FAF5)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Window detected: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF7D75874CC |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 3 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1426833 |
Start date and time: | 2024-04-16 17:22:21 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 51s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Nexthink_Collector_Installer_Silent.exe |
Detection: | CLEAN |
Classification: | clean1.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Nexthink_Collector_Installer_Silent.exe, PID 7316 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
File type: | |
Entropy (8bit): | 7.980505318400647 |
TrID: |
|
File name: | Nexthink_Collector_Installer_Silent.exe |
File size: | 70'886'592 bytes |
MD5: | a734e0ea93d16c673272cd373df1faf5 |
SHA1: | b6454106405dfdb732641e34961a09127621bf5c |
SHA256: | 603a9e9a531caf7bcea1992bfae68583f12beb7edac4768d4b50e76b16af60cd |
SHA512: | 966c5eb64f8d955e7692f1c9deefdc0bfd2544c47460432c342bbd64e333b68ef052d12802f6e39ce6f51df687aa3a59364c12fe16367b312faeb9f915d204b2 |
SSDEEP: | 1572864:rAACpH7aKRZpaOsJPXtoYyCTbi0PuK4X8uU0L2wpAUfxoISl4mrhwKRkaQaNCNa3:rnCoUFsJhx34X8hAx7xlI4m1pRFQG0f4 |
TLSH: | 85F733067E6401A9EEB7B139B5AE8900EA753C1513238ACB23F0759B1F73ED05A7631D |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;[.&.:.u.:.u.:.ukQ.tu:.ukQ.tl:.ukQ.t.:.u-O.to:.u-O.tu:.u-O.t.:.ukQ.tn:.u.:.u.:.u.O.tv:.u.O1u~:.u.O.t~:.uRich.:.u........PE..d.. |
Icon Hash: | 53f16d4d4d4dcc51 |
Entrypoint: | 0x140026ca8 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x65F1B49F [Wed Mar 13 14:13:51 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 45bf8736c7180e4761c8e6262738d870 |
Signature Valid: | true |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 90AFB125D358CFA7B918C56823D11089 |
Thumbprint SHA-1: | EBDAE0ACE9C8F5D0136152C0FDC1971DB3604412 |
Thumbprint SHA-256: | C1AB4749A2D23E6B829EA39BE33F04EE1211F525C47991BAB791C7493CCC367B |
Serial: | 075A2790DAD211DD1320BFDC8F6DC855 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F23807067F0h |
dec eax |
add esp, 28h |
jmp 00007F2380705E4Fh |
int3 |
int3 |
jmp 00007F238070E974h |
int3 |
int3 |
int3 |
dec eax |
sub esp, 28h |
dec ebp |
mov eax, dword ptr [ecx+38h] |
dec eax |
mov ecx, edx |
dec ecx |
mov edx, ecx |
call 00007F2380705FE2h |
mov eax, 00000001h |
dec eax |
add esp, 28h |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
inc ebp |
mov ebx, dword ptr [eax] |
dec eax |
mov ebx, edx |
inc ecx |
and ebx, FFFFFFF8h |
dec esp |
mov ecx, ecx |
inc ecx |
test byte ptr [eax], 00000004h |
dec esp |
mov edx, ecx |
je 00007F2380705FE5h |
inc ecx |
mov eax, dword ptr [eax+08h] |
dec ebp |
arpl word ptr [eax+04h], dx |
neg eax |
dec esp |
add edx, ecx |
dec eax |
arpl ax, cx |
dec esp |
and edx, ecx |
dec ecx |
arpl bx, ax |
dec edx |
mov edx, dword ptr [eax+edx] |
dec eax |
mov eax, dword ptr [ebx+10h] |
mov ecx, dword ptr [eax+08h] |
dec eax |
mov eax, dword ptr [ebx+08h] |
test byte ptr [ecx+eax+03h], 0000000Fh |
je 00007F2380705FDDh |
movzx eax, byte ptr [ecx+eax+03h] |
and eax, FFFFFFF0h |
dec esp |
add ecx, eax |
dec esp |
xor ecx, edx |
dec ecx |
mov ecx, ecx |
pop ebx |
jmp 00007F2380705766h |
int3 |
dec eax |
mov eax, esp |
dec eax |
mov dword ptr [eax+08h], ebx |
dec eax |
mov dword ptr [eax+10h], ebp |
dec eax |
mov dword ptr [eax+18h], esi |
dec eax |
mov dword ptr [eax+20h], edi |
inc ecx |
push esi |
dec eax |
sub esp, 20h |
dec ecx |
mov ebx, dword ptr [ecx+38h] |
dec eax |
mov esi, edx |
dec ebp |
mov esi, eax |
dec eax |
mov ebp, ecx |
dec ecx |
mov edx, ecx |
dec eax |
mov ecx, esi |
dec ecx |
mov edi, ecx |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x69638 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x74000 | 0x4291220 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x6f000 | 0x3cfc | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x4300c00 | 0x998c0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4306000 | 0xb18 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x61b60 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x61d00 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x61bc0 | 0x138 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x50000 | 0x450 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4e2ec | 0x4e400 | d4d2e093d48cc9e7deb6f16e4c4d4510 | False | 0.5204610123801917 | data | 6.471270119324688 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x50000 | 0x1a4d0 | 0x1a600 | 13963a4af3ffe2fd6b4f26292b15e08c | False | 0.43549133590047395 | data | 5.112600792532151 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x6b000 | 0x350c | 0x1e00 | 115e48b62085ebd2a3b695ba77267d0a | False | 0.15091145833333333 | DOS executable (block device driver) | 3.261064407548195 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x6f000 | 0x3cfc | 0x3e00 | b1da50022a1102b3240ca3a38efb5067 | False | 0.4769405241935484 | data | 5.599998597201377 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_RDATA | 0x73000 | 0xf4 | 0x200 | 217914a1ea98ecd77c60cbc406c834d6 | False | 0.32421875 | data | 2.4688333672793643 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x74000 | 0x4291220 | 0x4291400 | 96ceb2750e87858affd7267c673bbda5 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x4306000 | 0xb18 | 0xc00 | 7849c6576b547e63ecccbec6dc4e411b | False | 0.4973958333333333 | data | 5.28255770132007 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
AFX_DIALOG_LAYOUT | 0x4303798 | 0x2 | data | English | United States | 5.0 |
BIN | 0x74938 | 0x2ca00 | PE32+ executable (GUI) x86-64, for MS Windows | English | United States | 0.49060092787114845 |
BIN | 0xc9538 | 0x422a0ae | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Nexthink Collector Windows Installer, Author: Nexthink S.A., Keywords: Installer, Comments: Nexthink Collector (24.2.3.2) for Windows 10 and above, Windows Server 2016 and above., Template: x64;1033, Revision Number: {ADCBBDBB-0708-4650-A785-2F1A7F4B049E}, Create Time/Date: Wed Mar 13 14:11:32 2024, Last Saved Time/Date: Wed Mar 13 14:11:32 2024, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.0.5722), Security: 4 | English | United States | 0.9637260437011719 |
BIN | 0xa1338 | 0x28200 | PE32+ executable (GUI) x86-64, for MS Windows | English | United States | 0.4862429419781931 |
RT_BITMAP | 0x42f9db8 | 0x993a | Device independent bitmap graphic, 210 x 62 x 24, image size 39186, resolution 2834 x 2834 px/m | English | United States | 0.07296181104369551 |
RT_ICON | 0x42f4670 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | English | United States | 0.29609929078014185 |
RT_ICON | 0x42f4ad8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | English | United States | 0.19098360655737706 |
RT_ICON | 0x42f5460 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | English | United States | 0.13860225140712945 |
RT_ICON | 0x42f6508 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | English | United States | 0.09367219917012448 |
RT_ICON | 0x42f8ab0 | 0x12b2 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9114082741328876 |
RT_DIALOG | 0x42f3960 | 0xb06 | data | English | United States | 0.3543586109142452 |
RT_DIALOG | 0x42f4468 | 0x204 | data | English | United States | 0.5581395348837209 |
RT_STRING | 0x43037a0 | 0x3e | data | English | United States | 0.6129032258064516 |
RT_STRING | 0x4303e58 | 0x494 | data | English | United States | 0.3174061433447099 |
RT_STRING | 0x43042f0 | 0x706 | data | English | United States | 0.27196885428253614 |
RT_STRING | 0x43049f8 | 0x150 | data | English | United States | 0.43452380952380953 |
RT_STRING | 0x43037e0 | 0x678 | data | English | United States | 0.3254830917874396 |
RT_STRING | 0x4304ca0 | 0x49e | data | English | United States | 0.2571912013536379 |
RT_STRING | 0x4305140 | 0xda | data | English | United States | 0.4908256880733945 |
RT_STRING | 0x4304b48 | 0x152 | data | English | United States | 0.4881656804733728 |
RT_GROUP_ICON | 0x42f9d68 | 0x4c | data | English | United States | 0.7763157894736842 |
RT_VERSION | 0x745b0 | 0x384 | data | English | United States | 0.42444444444444446 |
RT_MANIFEST | 0x42f35e8 | 0x376 | XML 1.0 document, ASCII text | English | United States | 0.4887133182844244 |
None | 0x43036f8 | 0x9c | data | English | United States | 0.3333333333333333 |
DLL | Import |
---|---|
COMCTL32.dll | |
SHLWAPI.dll | PathFileExistsW, PathIsDirectoryW |
VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
KERNEL32.dll | CreateFileW, CloseHandle, SizeofResource, WriteFile, EndUpdateResourceW, Sleep, LockResource, GlobalAlloc, DeleteFileW, GlobalFree, LoadResource, FindResourceW, UpdateResourceW, GlobalLock, FreeLibrary, BeginUpdateResourceW, GlobalUnlock, LoadLibraryExW, GetFileSizeEx, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, ReadConsoleW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, ReadFile, GetLastError, GetProcessHeap, SetStdHandle, HeapSize, WriteConsoleW, SetEndOfFile, FreeEnvironmentStringsW, MultiByteToWideChar, HeapReAlloc, SetFilePointerEx, InitializeCriticalSectionEx, RaiseException, DecodePointer, DeleteCriticalSection, GetStringTypeW, WideCharToMultiByte, CompareStringEx, EnterCriticalSection, LeaveCriticalSection, EncodePointer, LCMapStringEx, GetCPInfo, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, GetProcAddress, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, RtlUnwindEx, RtlPcToFileHeader, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, HeapFree, HeapAlloc, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, RtlUnwind |
USER32.dll | LoadImageW, EnableWindow, MessageBoxW, LoadStringW, GetWindowTextLengthW, GetWindowRect, DialogBoxParamW, SetWindowTextW, EndDialog, SetDlgItemTextW, GetDlgItemTextW, LoadIconW, GetDlgItem, SetDlgItemInt, SetWindowPos, GetDlgItemInt, SendMessageW |
COMDLG32.dll | GetOpenFileNameW |
ADVAPI32.dll | CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptGetHashParam, CryptReleaseContext |
SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 17:23:12 |
Start date: | 16/04/2024 |
Path: | C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7d7560000 |
File size: | 70'886'592 bytes |
MD5 hash: | A734E0EA93D16C673272CD373DF1FAF5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |