Windows
Analysis Report
compiler.exe
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
- compiler.exe (PID: 6464 cmdline:
"C:\Users\ user\Deskt op\compile r.exe" MD5: DD98A43CB27EFD5BCC29EFB23FDD6CA5) - conhost.exe (PID: 6752 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | ReversingLabs | |||
3% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1428661 |
Start date and time: | 2024-04-19 11:27:42 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 17s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | compiler.exe |
Detection: | CLEAN |
Classification: | clean1.winEXE@2/0@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
File type: | |
Entropy (8bit): | 6.34670024833589 |
TrID: |
|
File name: | compiler.exe |
File size: | 91'136 bytes |
MD5: | dd98a43cb27efd5bcc29efb23fdd6ca5 |
SHA1: | 38f621f3f0df5764938015b56ecfa54948dde8f5 |
SHA256: | 1cf20b8449ea84c684822a5e8ab3672213072db8267061537d1ce4ec2c30c42a |
SHA512: | 871a2079892b1eb54cb761aebd500ac8da96489c3071c32a3dab00200f74f4e12b9ab6c62623c53aea5b8be3fc031fb1b3e628ffe15d73323d917083240742b0 |
SSDEEP: | 1536:Ee7h7q/J6K3nHC+AGUob2f0DBFPbPWNPWp350NHcHkDsWqxcd2ZPSAv:Ee7oU8HC+AGUu2abPbPWQpO8E0A2tSAv |
TLSH: | FC935C00F5D2D071D5B3593558B5DAB04A2EF9311F259FAB339813AA4F301C19E3AEAB |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................:...................c.......c.......c.......[...............[.......[.......Rich................... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x4027cb |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5A6701B8 [Tue Jan 23 09:34:48 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | d0264e200554ef617c521261fe8fe2a4 |
Instruction |
---|
call 00007FB79CD71261h |
jmp 00007FB79CD70DF4h |
push ebp |
mov ebp, esp |
mov eax, dword ptr [00416004h] |
and eax, 1Fh |
push 00000020h |
pop ecx |
sub ecx, eax |
mov eax, dword ptr [ebp+08h] |
ror eax, cl |
xor eax, dword ptr [00416004h] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
push esi |
mov ecx, dword ptr [eax+3Ch] |
add ecx, eax |
movzx eax, word ptr [ecx+14h] |
lea edx, dword ptr [ecx+18h] |
add edx, eax |
movzx eax, word ptr [ecx+06h] |
imul esi, eax, 28h |
add esi, edx |
cmp edx, esi |
je 00007FB79CD70F8Bh |
mov ecx, dword ptr [ebp+0Ch] |
cmp ecx, dword ptr [edx+0Ch] |
jc 00007FB79CD70F7Ch |
mov eax, dword ptr [edx+08h] |
add eax, dword ptr [edx+0Ch] |
cmp ecx, eax |
jc 00007FB79CD70F7Eh |
add edx, 28h |
cmp edx, esi |
jne 00007FB79CD70F5Ch |
xor eax, eax |
pop esi |
pop ebp |
ret |
mov eax, edx |
jmp 00007FB79CD70F6Bh |
call 00007FB79CD7167Eh |
test eax, eax |
jne 00007FB79CD70F75h |
xor al, al |
ret |
mov eax, dword ptr fs:[00000018h] |
push esi |
mov esi, 00416BE0h |
mov edx, dword ptr [eax+04h] |
jmp 00007FB79CD70F76h |
cmp edx, eax |
je 00007FB79CD70F82h |
xor eax, eax |
mov ecx, edx |
lock cmpxchg dword ptr [esi], ecx |
test eax, eax |
jne 00007FB79CD70F62h |
xor al, al |
pop esi |
ret |
mov al, 01h |
pop esi |
ret |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+08h], 00000000h |
jne 00007FB79CD70F79h |
mov byte ptr [00416BFDh], 00000001h |
call 00007FB79CD714A0h |
call 00007FB79CD71B8Dh |
test al, al |
jne 00007FB79CD70F76h |
xor al, al |
pop ebp |
ret |
call 00007FB79CD74603h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x15624 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x18000 | 0x1054 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x14e20 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x14e40 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x10000 | 0x1b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xe3d7 | 0xe400 | b97c392d098eadbc9c95c4f161db9c43 | False | 0.5899465460526315 | data | 6.605552252216392 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x10000 | 0x5f5e | 0x6000 | 211de0d3d62de464b374c5fcd37b70a9 | False | 0.4219970703125 | data | 4.952429027132686 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x16000 | 0x12e0 | 0xa00 | 6dbfd5c750ae4db7bd40b894c4f30c74 | False | 0.13984375 | Intel ia64 COFF object file, not stripped, 65 sections, symbol offset=0x44bf19b1, -1 symbols, optional header size 1 | 1.8442912468596249 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x18000 | 0x1054 | 0x1200 | 2ef1d0ccaa35ae861a0151c39039e435 | False | 0.7586805555555556 | data | 6.317639965076526 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
lua51.dll | lua_gettop, luaJIT_version_2_1_0_beta3, luaL_openlibs, luaL_traceback, luaL_newstate, luaL_loadbuffer, luaL_loadfile, luaL_where, luaL_callmeta, lua_sethook, lua_concat, lua_error, lua_gc, lua_cpcall, lua_pcall, lua_call, lua_rawseti, lua_setfield, lua_createtable, lua_rawgeti, lua_getfield, lua_gettable, lua_pushboolean, lua_pushcclosure, lua_pushfstring, lua_pushstring, lua_pushlstring, lua_pushnil, lua_objlen, lua_tolstring, lua_toboolean, lua_type, lua_isstring, lua_insert, lua_remove, lua_pushvalue, lua_settop, lua_close |
KERNEL32.dll | TlsAlloc, DecodePointer, ReadConsoleW, ReadFile, WriteConsoleW, CreateFileW, CloseHandle, HeapReAlloc, HeapSize, SetFilePointerEx, GetProcessHeap, GetStringTypeW, SetStdHandle, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, IsValidCodePage, FindNextFileA, FindFirstFileExA, FindClose, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, LCMapStringW, CompareStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, RaiseException, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, SetConsoleCtrlHandler, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetACP, HeapFree, HeapAlloc |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 11:29:03 |
Start date: | 19/04/2024 |
Path: | C:\Users\user\Desktop\compiler.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x720000 |
File size: | 91'136 bytes |
MD5 hash: | DD98A43CB27EFD5BCC29EFB23FDD6CA5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 11:29:03 |
Start date: | 19/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff68cce0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |