Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
compiler.exe

Overview

General Information

Sample name:compiler.exe
Analysis ID:1428661
MD5:dd98a43cb27efd5bcc29efb23fdd6ca5
SHA1:38f621f3f0df5764938015b56ecfa54948dde8f5
SHA256:1cf20b8449ea84c684822a5e8ab3672213072db8267061537d1ce4ec2c30c42a
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • compiler.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\compiler.exe" MD5: DD98A43CB27EFD5BCC29EFB23FDD6CA5)
    • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: compiler.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: compiler.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: compiler.exeString found in binary or memory: http://luajit.org/
Source: compiler.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean1.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
Source: compiler.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\compiler.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\compiler.exe "C:\Users\user\Desktop\compiler.exe"
Source: C:\Users\user\Desktop\compiler.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\compiler.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\compiler.exeSection loaded: lua51.dllJump to behavior
Source: compiler.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: compiler.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428661 Sample: compiler.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 1 5 compiler.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
compiler.exe3%ReversingLabs
compiler.exe3%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://luajit.org/0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://luajit.org/compiler.exefalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1428661
Start date and time:2024-04-19 11:27:42 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 17s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:compiler.exe
Detection:CLEAN
Classification:clean1.winEXE@2/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.34670024833589
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:compiler.exe
File size:91'136 bytes
MD5:dd98a43cb27efd5bcc29efb23fdd6ca5
SHA1:38f621f3f0df5764938015b56ecfa54948dde8f5
SHA256:1cf20b8449ea84c684822a5e8ab3672213072db8267061537d1ce4ec2c30c42a
SHA512:871a2079892b1eb54cb761aebd500ac8da96489c3071c32a3dab00200f74f4e12b9ab6c62623c53aea5b8be3fc031fb1b3e628ffe15d73323d917083240742b0
SSDEEP:1536:Ee7h7q/J6K3nHC+AGUob2f0DBFPbPWNPWp350NHcHkDsWqxcd2ZPSAv:Ee7oU8HC+AGUu2abPbPWQpO8E0A2tSAv
TLSH:FC935C00F5D2D071D5B3593558B5DAB04A2EF9311F259FAB339813AA4F301C19E3AEAB
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................:...................c.......c.......c.......[...............[.......[.......Rich...................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x4027cb
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x5A6701B8 [Tue Jan 23 09:34:48 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:d0264e200554ef617c521261fe8fe2a4

Entrypoint Preview

Instruction
call 00007FB79CD71261h
jmp 00007FB79CD70DF4h
push ebp
mov ebp, esp
mov eax, dword ptr [00416004h]
and eax, 1Fh
push 00000020h
pop ecx
sub ecx, eax
mov eax, dword ptr [ebp+08h]
ror eax, cl
xor eax, dword ptr [00416004h]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FB79CD70F8Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FB79CD70F7Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FB79CD70F7Eh
add edx, 28h
cmp edx, esi
jne 00007FB79CD70F5Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007FB79CD70F6Bh
call 00007FB79CD7167Eh
test eax, eax
jne 00007FB79CD70F75h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 00416BE0h
mov edx, dword ptr [eax+04h]
jmp 00007FB79CD70F76h
cmp edx, eax
je 00007FB79CD70F82h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007FB79CD70F62h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007FB79CD70F79h
mov byte ptr [00416BFDh], 00000001h
call 00007FB79CD714A0h
call 00007FB79CD71B8Dh
test al, al
jne 00007FB79CD70F76h
xor al, al
pop ebp
ret
call 00007FB79CD74603h

Rich Headers

Programming Language:
  • [IMP] VS2017 v15.5.4 build 25834
  • [ C ] VS2017 v15.5.4 build 25834
  • [LNK] VS2017 v15.5.4 build 25834

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x156240x3c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x1054.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x14e200x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x14e400x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x100000x1b0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xe3d70xe400b97c392d098eadbc9c95c4f161db9c43False0.5899465460526315data6.605552252216392IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x100000x5f5e0x6000211de0d3d62de464b374c5fcd37b70a9False0.4219970703125data4.952429027132686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x160000x12e00xa006dbfd5c750ae4db7bd40b894c4f30c74False0.13984375Intel ia64 COFF object file, not stripped, 65 sections, symbol offset=0x44bf19b1, -1 symbols, optional header size 11.8442912468596249IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x180000x10540x12002ef1d0ccaa35ae861a0151c39039e435False0.7586805555555556data6.317639965076526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
lua51.dlllua_gettop, luaJIT_version_2_1_0_beta3, luaL_openlibs, luaL_traceback, luaL_newstate, luaL_loadbuffer, luaL_loadfile, luaL_where, luaL_callmeta, lua_sethook, lua_concat, lua_error, lua_gc, lua_cpcall, lua_pcall, lua_call, lua_rawseti, lua_setfield, lua_createtable, lua_rawgeti, lua_getfield, lua_gettable, lua_pushboolean, lua_pushcclosure, lua_pushfstring, lua_pushstring, lua_pushlstring, lua_pushnil, lua_objlen, lua_tolstring, lua_toboolean, lua_type, lua_isstring, lua_insert, lua_remove, lua_pushvalue, lua_settop, lua_close
KERNEL32.dllTlsAlloc, DecodePointer, ReadConsoleW, ReadFile, WriteConsoleW, CreateFileW, CloseHandle, HeapReAlloc, HeapSize, SetFilePointerEx, GetProcessHeap, GetStringTypeW, SetStdHandle, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, IsValidCodePage, FindNextFileA, FindFirstFileExA, FindClose, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, LCMapStringW, CompareStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, RaiseException, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, SetConsoleCtrlHandler, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetACP, HeapFree, HeapAlloc

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:11:29:03
Start date:19/04/2024
Path:C:\Users\user\Desktop\compiler.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\compiler.exe"
Imagebase:0x720000
File size:91'136 bytes
MD5 hash:DD98A43CB27EFD5BCC29EFB23FDD6CA5
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:1
Start time:11:29:03
Start date:19/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff68cce0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly