Windows
Analysis Report
EmptyStandbyList.exe
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64_ra
- EmptyStandbyList.exe (PID: 7140 cmdline:
"C:\Users\ user\Deskt op\EmptySt andbyList. exe" MD5: 3555E25964BF8E983E863DAAF1E4D0D6) - conhost.exe (PID: 7148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 6192 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | ReversingLabs | |||
0% | Virustotal | Browse |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1427157 |
Start date and time: | 2024-04-17 06:26:56 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Sample name: | EmptyStandbyList.exe |
Detection: | CLEAN |
Classification: | clean1.winEXE@3/0@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
File type: | |
Entropy (8bit): | 6.386198264185548 |
TrID: |
|
File name: | EmptyStandbyList.exe |
File size: | 139'424 bytes |
MD5: | 3555e25964bf8e983e863daaf1e4d0d6 |
SHA1: | de5133bdbb40cfb0119dec5ac54dfbbff21b47d0 |
SHA256: | 6d2b18f8a8ba787d3fa4c6e36ed6c7af66b10083ce555a21ec24b2ada3821cbe |
SHA512: | c0c9d78ea79ca4e06716dab2497843c730e53101872f855671423b5feff0ce06e1db0519fe7710f673b21ae6cd51e6eba443697ef8798e755868f39282c2ac54 |
SSDEEP: | 3072:iOXQAmidaOUNM18K6QgNjgO+SkNn6P7Q2k/9KORSGhY+HlnrLNX2z4Yb15qDxG1:1vzUN12gNk8kNXD4 |
TLSH: | 65D348127BD084B1E5B21E7449B497610B6EFE321E31CAAF63A8027E4E706D09D35B77 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.R............l.......l...[...l.......=M......=M......=M......l.......l........b..........M...*M......*M......*M......*M..... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x403728 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x56ADF379 [Sun Jan 31 11:43:53 2016 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | ede74345354aaddd93e9ce5d8e8b1431 |
Signature Valid: | true |
Signature Issuer: | CN=DigiCert SHA2 High Assurance Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 7D8BD35DB162488AE157E06ACDCAA9CD |
Thumbprint SHA-1: | 190D956129DDE6972D46F46EF98BD86B982E6633 |
Thumbprint SHA-256: | 389084BB9E1F6785A7B7DA4CB87872738AB2F92CD88B286F2690BD46E3912BDF |
Serial: | 040CB41E4FB370C45C4344765162582F |
Instruction |
---|
call 00007F472893AE45h |
jmp 00007F472893AA4Fh |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
push esi |
mov ecx, dword ptr [eax+3Ch] |
add ecx, eax |
movzx eax, word ptr [ecx+14h] |
lea edx, dword ptr [ecx+18h] |
add edx, eax |
movzx eax, word ptr [ecx+06h] |
imul esi, eax, 28h |
add esi, edx |
cmp edx, esi |
je 00007F472893ABEBh |
mov ecx, dword ptr [ebp+0Ch] |
cmp ecx, dword ptr [edx+0Ch] |
jc 00007F472893ABDCh |
mov eax, dword ptr [edx+08h] |
add eax, dword ptr [edx+0Ch] |
cmp ecx, eax |
jc 00007F472893ABDEh |
add edx, 28h |
cmp edx, esi |
jne 00007F472893ABBCh |
xor eax, eax |
pop esi |
pop ebp |
ret |
mov eax, edx |
jmp 00007F472893ABCBh |
call 00007F472893B2D6h |
test eax, eax |
jne 00007F472893ABD5h |
xor al, al |
ret |
mov eax, dword ptr fs:[00000018h] |
push esi |
mov esi, 004220E8h |
mov edx, dword ptr [eax+04h] |
jmp 00007F472893ABD6h |
cmp edx, eax |
je 00007F472893ABE2h |
xor eax, eax |
mov ecx, edx |
lock cmpxchg dword ptr [esi], ecx |
test eax, eax |
jne 00007F472893ABC2h |
xor al, al |
pop esi |
ret |
mov al, 01h |
pop esi |
ret |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+08h], 00000000h |
jne 00007F472893ABD9h |
mov byte ptr [00422104h], 00000001h |
call 00007F472893B0F0h |
call 00007F472893C2DAh |
test al, al |
jne 00007F472893ABD6h |
xor al, al |
pop ebp |
ret |
call 00007F4728941A00h |
test al, al |
jne 00007F472893ABDCh |
push 00000000h |
call 00007F472893C2F0h |
pop ecx |
jmp 00007F472893ABBBh |
mov al, 01h |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
push esi |
mov esi, dword ptr [ebp+08h] |
test esi, esi |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1d744 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x24000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x20400 | 0x1ca0 | .data |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x25000 | 0x15e4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1cec0 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1cf18 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x15000 | 0x1a0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x130bb | 0x13200 | 261c298c7b292864be7c1e485e2a6305 | False | 0.5736443014705882 | data | 6.646344875933772 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x15000 | 0x9126 | 0x9200 | f68c1d974ece2452c05f0d91f46551bd | False | 0.4312660530821918 | data | 4.879031592385397 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1f000 | 0x447c | 0x2400 | 38af78bcc1d10b47cf2df36510b4ee04 | False | 0.2635633680555556 | data | 2.999564701586033 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x24000 | 0x1e0 | 0x200 | e8f29e6669a480a4d72efeb174b889d9 | False | 0.52734375 | data | 4.7176788329467545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x25000 | 0x15e4 | 0x1600 | 4bf82d81f9c36e5e2d823264126bd299 | False | 0.7867542613636364 | data | 6.517120857037403 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x24060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
ntdll.dll | RtlNtStatusToDosError, RtlFindMessage, RtlInterlockedPopEntrySList, RtlMultiByteToUnicodeSize, RtlMultiByteToUnicodeN, RtlInitializeSListHead, RtlInterlockedPushEntrySList, RtlRaiseStatus, NtReleaseSemaphore, NtCreateKeyedEvent, NtWaitForKeyedEvent, NtReleaseKeyedEvent, RtlCreateHeap, RtlGetVersion, RtlReleasePrivilege, RtlAcquirePrivilege, RtlLengthSecurityDescriptor, RtlAllocateHeap, RtlUpcaseUnicodeChar, NtSetInformationFile, RtlUnwind, NtWaitForSingleObject, NtFreeVirtualMemory, NtSetSystemInformation, NtQuerySystemInformation, NtCreateSemaphore, NtQueryInformationToken, NtOpenProcessToken, RtlFreeHeap, NtWriteFile, NtDeviceIoControlFile, NtClose |
KERNEL32.dll | IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, IsProcessorFeaturePresent, TerminateProcess, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetModuleFileNameW, FindFirstFileExW, FindNextFileW, GetEnvironmentStringsW, FreeEnvironmentStringsW, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetStringTypeW, MultiByteToWideChar, GetACP, RaiseException, GetStdHandle, WideCharToMultiByte, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, CompareStringW, LCMapStringW, GetFileType, DecodePointer, GetCPInfo, IsValidCodePage, GetOEMCP, CloseHandle, FindClose, GetCurrentProcess, SetLastError, TlsGetValue, TlsAlloc, TlsSetValue, GetSystemDefaultLangID, GetUserDefaultLangID, LocalAlloc, GetTickCount, HeapFree, HeapAlloc, QueryPerformanceCounter, GetProcAddress, GetModuleHandleW, ExitProcess, GetLastError, WriteFile, CreateFileW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, FlushFileBuffers, GetConsoleCP, GetConsoleMode, HeapSize, HeapReAlloc, SetFilePointerEx, WriteConsoleW |
ADVAPI32.dll | SystemFunction036 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |