Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EmptyStandbyList.exe

Overview

General Information

Sample name:EmptyStandbyList.exe
Analysis ID:1427157
MD5:3555e25964bf8e983e863daaf1e4d0d6
SHA1:de5133bdbb40cfb0119dec5ac54dfbbff21b47d0
SHA256:6d2b18f8a8ba787d3fa4c6e36ed6c7af66b10083ce555a21ec24b2ada3821cbe

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64_ra
  • EmptyStandbyList.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\EmptyStandbyList.exe" MD5: 3555E25964BF8E983E863DAAF1E4D0D6)
    • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: EmptyStandbyList.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: EmptyStandbyList.exeStatic PE information: certificate valid
Source: EmptyStandbyList.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: EmptyStandbyList.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean1.winEXE@3/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6192:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: EmptyStandbyList.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\EmptyStandbyList.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\EmptyStandbyList.exe "C:\Users\user\Desktop\EmptyStandbyList.exe"
Source: C:\Users\user\Desktop\EmptyStandbyList.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EmptyStandbyList.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EmptyStandbyList.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\EmptyStandbyList.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\EmptyStandbyList.exeSection loaded: kernel.appcore.dll
Source: EmptyStandbyList.exeStatic PE information: certificate valid
Source: EmptyStandbyList.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: EmptyStandbyList.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: EmptyStandbyList.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: EmptyStandbyList.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: EmptyStandbyList.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: EmptyStandbyList.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: EmptyStandbyList.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: EmptyStandbyList.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: EmptyStandbyList.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EmptyStandbyList.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EmptyStandbyList.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EmptyStandbyList.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EmptyStandbyList.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
EmptyStandbyList.exe2%ReversingLabs
EmptyStandbyList.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1427157
Start date and time:2024-04-17 06:26:56 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:EmptyStandbyList.exe
Detection:CLEAN
Classification:clean1.winEXE@3/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.386198264185548
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:EmptyStandbyList.exe
File size:139'424 bytes
MD5:3555e25964bf8e983e863daaf1e4d0d6
SHA1:de5133bdbb40cfb0119dec5ac54dfbbff21b47d0
SHA256:6d2b18f8a8ba787d3fa4c6e36ed6c7af66b10083ce555a21ec24b2ada3821cbe
SHA512:c0c9d78ea79ca4e06716dab2497843c730e53101872f855671423b5feff0ce06e1db0519fe7710f673b21ae6cd51e6eba443697ef8798e755868f39282c2ac54
SSDEEP:3072:iOXQAmidaOUNM18K6QgNjgO+SkNn6P7Q2k/9KORSGhY+HlnrLNX2z4Yb15qDxG1:1vzUN12gNk8kNXD4
TLSH:65D348127BD084B1E5B21E7449B497610B6EFE321E31CAAF63A8027E4E706D09D35B77
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.R............l.......l...[...l.......=M......=M......=M......l.......l........b..........M...*M......*M......*M......*M.....

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x403728
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x56ADF379 [Sun Jan 31 11:43:53 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:ede74345354aaddd93e9ce5d8e8b1431

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert SHA2 High Assurance Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 30/10/2013 01:00:00 04/01/2017 13:00:00
Subject Chain
  • CN=Wen Jia Liu, O=Wen Jia Liu, L=Sydney, S=New South Wales, C=AU
Version:3
Thumbprint MD5:7D8BD35DB162488AE157E06ACDCAA9CD
Thumbprint SHA-1:190D956129DDE6972D46F46EF98BD86B982E6633
Thumbprint SHA-256:389084BB9E1F6785A7B7DA4CB87872738AB2F92CD88B286F2690BD46E3912BDF
Serial:040CB41E4FB370C45C4344765162582F

Entrypoint Preview

Instruction
call 00007F472893AE45h
jmp 00007F472893AA4Fh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F472893ABEBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F472893ABDCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F472893ABDEh
add edx, 28h
cmp edx, esi
jne 00007F472893ABBCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F472893ABCBh
call 00007F472893B2D6h
test eax, eax
jne 00007F472893ABD5h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 004220E8h
mov edx, dword ptr [eax+04h]
jmp 00007F472893ABD6h
cmp edx, eax
je 00007F472893ABE2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F472893ABC2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F472893ABD9h
mov byte ptr [00422104h], 00000001h
call 00007F472893B0F0h
call 00007F472893C2DAh
test al, al
jne 00007F472893ABD6h
xor al, al
pop ebp
ret
call 00007F4728941A00h
test al, al
jne 00007F472893ABDCh
push 00000000h
call 00007F472893C2F0h
pop ecx
jmp 00007F472893ABBBh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
mov esi, dword ptr [ebp+08h]
test esi, esi

Rich Headers

Programming Language:
  • [IMP] VS2010 build 30319
  • [ C ] VS2015 build 23026
  • [RES] VS2015 build 23026
  • [LNK] VS2015 build 23026

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1d7440x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x1e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x204000x1ca0.data
IMAGE_DIRECTORY_ENTRY_BASERELOC0x250000x15e4.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x1cec00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1cf180x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x150000x1a0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x130bb0x13200261c298c7b292864be7c1e485e2a6305False0.5736443014705882data6.646344875933772IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x150000x91260x9200f68c1d974ece2452c05f0d91f46551bdFalse0.4312660530821918data4.879031592385397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x1f0000x447c0x240038af78bcc1d10b47cf2df36510b4ee04False0.2635633680555556data2.999564701586033IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x240000x1e00x200e8f29e6669a480a4d72efeb174b889d9False0.52734375data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x250000x15e40x16004bf82d81f9c36e5e2d823264126bd299False0.7867542613636364data6.517120857037403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x240600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
ntdll.dllRtlNtStatusToDosError, RtlFindMessage, RtlInterlockedPopEntrySList, RtlMultiByteToUnicodeSize, RtlMultiByteToUnicodeN, RtlInitializeSListHead, RtlInterlockedPushEntrySList, RtlRaiseStatus, NtReleaseSemaphore, NtCreateKeyedEvent, NtWaitForKeyedEvent, NtReleaseKeyedEvent, RtlCreateHeap, RtlGetVersion, RtlReleasePrivilege, RtlAcquirePrivilege, RtlLengthSecurityDescriptor, RtlAllocateHeap, RtlUpcaseUnicodeChar, NtSetInformationFile, RtlUnwind, NtWaitForSingleObject, NtFreeVirtualMemory, NtSetSystemInformation, NtQuerySystemInformation, NtCreateSemaphore, NtQueryInformationToken, NtOpenProcessToken, RtlFreeHeap, NtWriteFile, NtDeviceIoControlFile, NtClose
KERNEL32.dllIsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, IsProcessorFeaturePresent, TerminateProcess, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetModuleFileNameW, FindFirstFileExW, FindNextFileW, GetEnvironmentStringsW, FreeEnvironmentStringsW, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetStringTypeW, MultiByteToWideChar, GetACP, RaiseException, GetStdHandle, WideCharToMultiByte, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, CompareStringW, LCMapStringW, GetFileType, DecodePointer, GetCPInfo, IsValidCodePage, GetOEMCP, CloseHandle, FindClose, GetCurrentProcess, SetLastError, TlsGetValue, TlsAlloc, TlsSetValue, GetSystemDefaultLangID, GetUserDefaultLangID, LocalAlloc, GetTickCount, HeapFree, HeapAlloc, QueryPerformanceCounter, GetProcAddress, GetModuleHandleW, ExitProcess, GetLastError, WriteFile, CreateFileW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, FlushFileBuffers, GetConsoleCP, GetConsoleMode, HeapSize, HeapReAlloc, SetFilePointerEx, WriteConsoleW
ADVAPI32.dllSystemFunction036

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States