Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GateUtilityHelper.exe

Overview

General Information

Sample name:GateUtilityHelper.exe
Analysis ID:1428920
MD5:ea802d05db84a72cd98fe9b3628832c8
SHA1:7c3c11e9dea2fdc111180d107daff5f3d0b71374
SHA256:42e59f21ff168b461817dedeec34c97c06c2f675ebb2be932f0948024c96c34c
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates or modifies windows services
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64_ra
  • GateUtilityHelper.exe (PID: 6940 cmdline: "C:\Users\user\Desktop\GateUtilityHelper.exe" MD5: EA802D05DB84A72CD98FE9B3628832C8)
    • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • GateUtilityHelper.exe (PID: 5500 cmdline: "C:\Users\user\Desktop\GateUtilityHelper.exe" MD5: EA802D05DB84A72CD98FE9B3628832C8)
    • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: GateUtilityHelper.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Tycon\GateUtility\GateUtility\GateUtilityHelper\obj\Release\GateUtilityHelper.pdb source: GateUtilityHelper.exe

Spam, unwanted Advertisements and Ransom Demands

barindex
Reads the Security eventlog
Source: C:\Users\user\Desktop\GateUtilityHelper.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\GateUtilityHelperJump to behavior
Reads the System eventlog
Source: C:\Users\user\Desktop\GateUtilityHelper.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\GateUtilityHelperJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: GateUtilityHelper.exeStatic PE information: No import functions for PE file found
Source: classification engineClassification label: mal48.evad.winEXE@4/0@0/0
Source: C:\Users\user\Desktop\GateUtilityHelper.exeMutant created: NULL
Source: C:\Users\user\Desktop\GateUtilityHelper.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: GateUtilityHelper.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GateUtilityHelper.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
Source: C:\Users\user\Desktop\GateUtilityHelper.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\GateUtilityHelper.exe "C:\Users\user\Desktop\GateUtilityHelper.exe"
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Desktop\GateUtilityHelper.exe "C:\Users\user\Desktop\GateUtilityHelper.exe"
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeSection loaded: wintypes.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: GateUtilityHelper.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: GateUtilityHelper.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: GateUtilityHelper.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: GateUtilityHelper.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Tycon\GateUtility\GateUtility\GateUtilityHelper\obj\Release\GateUtilityHelper.pdb source: GateUtilityHelper.exe
Source: GateUtilityHelper.exeStatic PE information: 0xE330603D [Fri Oct 13 17:19:57 2090 UTC]
Source: C:\Users\user\Desktop\GateUtilityHelper.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeMemory allocated: 16F4AF10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeMemory allocated: 16F62F50000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeMemory allocated: 2007D6F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeMemory allocated: 2007F190000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exe TID: 7012Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exe TID: 6300Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\GateUtilityHelper.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeQueries volume information: C:\Users\user\Desktop\GateUtilityHelper.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\GateUtilityHelper.exeQueries volume information: C:\Users\user\Desktop\GateUtilityHelper.exe VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Windows Service		1
Windows Service		1
Disable or Modify Tools		OS Credential Dumping31
Virtualization/Sandbox Evasion		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Process Injection		31
Virtualization/Sandbox Evasion		LSASS Memory11
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428920 Sample: GateUtilityHelper.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 48 5 GateUtilityHelper.exe 2 1 2->5         started        8 GateUtilityHelper.exe 1 2->8         started        signatures3 14 Reads the Security eventlog 5->14 16 Reads the System eventlog 5->16 10 conhost.exe 5->10         started        12 conhost.exe 8->12         started        process4

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1428920
Start date and time:2024-04-19 21:12:15 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 47s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:GateUtilityHelper.exe
Detection:MAL
Classification:mal48.evad.winEXE@4/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 2
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target GateUtilityHelper.exe, PID 5500 because it is empty
  • Execution Graph export aborted for target GateUtilityHelper.exe, PID 6940 because it is empty
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: GateUtilityHelper.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):4.865933203872628
TrID:
  • Win64 Executable Console Net Framework (206006/5) 48.58%
  • Win64 Executable Console (202006/5) 47.64%
  • Win64 Executable (generic) (12005/4) 2.83%
  • Generic Win/DOS Executable (2004/3) 0.47%
  • DOS Executable Generic (2002/1) 0.47%
File name:GateUtilityHelper.exe
File size:47'616 bytes
MD5:ea802d05db84a72cd98fe9b3628832c8
SHA1:7c3c11e9dea2fdc111180d107daff5f3d0b71374
SHA256:42e59f21ff168b461817dedeec34c97c06c2f675ebb2be932f0948024c96c34c
SHA512:059d267c1fd3315f9383d4acbe2191867163157233b8600310497778aeb75aa95073b9e4bb5d01cbd09f2a67d73c285cb07747c54ab66afa6fb713e84c3de8b9
SSDEEP:384:V89Bmpx6vzwKIx2eve77+N0yiI0MUc1Qzl0aNL10kvjNvrx0iCJbAsiu90d6UMZZ:VreyrmzGE5OPdRmmMfSudYEoh62
TLSH:1C235408B3DE9271E2FD0BB588B5D2744179AD43D952E31E3CCC9ECB7A22A8057017A7
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...=`0..........."...0......,........... .....@..... ....................................`...@......@............... .....

File Icon

Icon Hash:076d449292503107

Static PE Info

General

Entrypoint:0x140000000
Entrypoint Section:
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0xE330603D [Fri Oct 13 17:19:57 2090 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x2a4c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0xab440x38.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000x8be90x8c00442c3caee43e12e51b14ea5994c9af3eFalse0.3646763392857143data5.505489866184046IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0xc0000x2a4c0x2c0026e25f5d6a1f1ad22d40273c32ef9ddfFalse0.19584517045454544data1.8644526967385155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xc0c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.1812240663900415
RT_GROUP_ICON0xe6800x14data1.15
RT_VERSION0xe6a40x3a4data0.4130901287553648

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:21:12:42
Start date:19/04/2024
Path:C:\Users\user\Desktop\GateUtilityHelper.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\GateUtilityHelper.exe"
Imagebase:0x16f49420000
File size:47'616 bytes
MD5 hash:EA802D05DB84A72CD98FE9B3628832C8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:21:12:42
Start date:19/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6684c0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:21:12:59
Start date:19/04/2024
Path:C:\Users\user\Desktop\GateUtilityHelper.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\GateUtilityHelper.exe"
Imagebase:0x2007d3c0000
File size:47'616 bytes
MD5 hash:EA802D05DB84A72CD98FE9B3628832C8
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:13
Start time:21:12:59
Start date:19/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6684c0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Executed Functions

    Function 00007FFEC92408B6 Relevance: .0, Instructions: 24COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1290556132.00007FFEC9240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC9240000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffec9240000_GateUtilityHelper.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: df9b860b18c88db6bc3b4faa5af9f4d6612cd6a83c43ecc5cf448cc19d8bb2db
    • Instruction ID: 601e00f74ae41ecffb9e798b273bd747740495a64bdfe759d4f46f1229b4cbb1
    • Opcode Fuzzy Hash: df9b860b18c88db6bc3b4faa5af9f4d6612cd6a83c43ecc5cf448cc19d8bb2db
    • Instruction Fuzzy Hash: 7FD05E12B6C9094BB688A62E38562FCA3C3D7C862175441B6E40EC2245ED185C8342C5
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00007FFEC84708B1 Relevance: .0, Instructions: 25COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 0000000C.00000002.1363889386.00007FFEC8470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8470000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_7ffec8470000_GateUtilityHelper.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1d857ec235e77b290a3fd7fb35f86da31075ccb56d64594cd98673ed410bef98
    • Instruction ID: d287385c096f4984560044d2bbd688e3d789f5d72d2b13aaef5489e3e9711831
    • Opcode Fuzzy Hash: 1d857ec235e77b290a3fd7fb35f86da31075ccb56d64594cd98673ed410bef98
    • Instruction Fuzzy Hash: A0D02E42B08A0A0BE688E22D3C491BC73A2E7C922179440B2E00AC2296ED084A830380
    Uniqueness

    Uniqueness Score: -1.00%