Windows
Analysis Report
task.exe
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64_ra
- task.exe (PID: 7096 cmdline:
"C:\Users\ user\Deskt op\task.ex e" MD5: 8A02BF22F75FBF6A3C9172238717BA4C) - conhost.exe (PID: 7104 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1429064 |
Start date and time: | 2024-04-20 14:39:04 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 37s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | task.exe |
Detection: | CLEAN |
Classification: | clean1.winEXE@2/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
File type: | |
Entropy (8bit): | 6.414681398502372 |
TrID: |
|
File name: | task.exe |
File size: | 363'272 bytes |
MD5: | 8a02bf22f75fbf6a3c9172238717ba4c |
SHA1: | 78543f6ea51a8f49fec95d4ac7631ca0c06be645 |
SHA256: | 5c6c61de91323d8bb5027333b75e9ebfca4e42c5141fd440daed5011943c2545 |
SHA512: | c4caf5565be05c979d260b9b3b07755e490a4e99df0fb76e8b27e61583cae912b93d907b524e4c8abf11a046c8a91f098a7993f3ae09798c8d241e7325f4858f |
SSDEEP: | 6144:fGXrAzSVpCreFHGjWIH6BlSIQEaohkHfPvl9eZ:ObAzSVpCr5WAhvoSHHWZ |
TLSH: | 86744B19BBD436F4F967C178C4A01506DEB1BC094B28F6BF47A44A652E236A0DE3D732 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.*...DK..DK..DK..GJ..DK..AJ..DK..@J..DK...K..DK..CJ..DKs.AJ9.DKs.@J..DKs.GJ..DK..EJ..DK..EJ..DK..EK..DK..LJ..DK..DJ..DK...K..D |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x140001780 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x65989F7E [Sat Jan 6 00:31:58 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 1507d1819ab873f5f5a6a05f0918739f |
Signature Valid: | true |
Signature Issuer: | CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 97355BCEE41595DF26282461BC9E7C46 |
Thumbprint SHA-1: | C8109BDD00AA2491212910D0A65DDB9455D2495D |
Thumbprint SHA-256: | EFA8AC129CFF59E4C40F85E4D3BFAD47F6F7E8CD79F2F28CD1B798A6CCA74B09 |
Serial: | 70045E1A3A594DFAC651C85B86121879 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F98A4E3ED30h |
dec eax |
add esp, 28h |
jmp 00007F98A4E3E93Fh |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007F98A4E3F288h |
test eax, eax |
je 00007F98A4E3EAF3h |
dec eax |
mov eax, dword ptr [00000030h] |
dec eax |
mov ecx, dword ptr [eax+08h] |
jmp 00007F98A4E3EAD7h |
dec eax |
cmp ecx, eax |
je 00007F98A4E3EAE6h |
xor eax, eax |
dec eax |
cmpxchg dword ptr [00053758h], ecx |
jne 00007F98A4E3EAC0h |
xor al, al |
dec eax |
add esp, 28h |
ret |
mov al, 01h |
jmp 00007F98A4E3EAC9h |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
movzx eax, byte ptr [00053743h] |
test ecx, ecx |
mov ebx, 00000001h |
cmove eax, ebx |
mov byte ptr [00053733h], al |
call 00007F98A4E3F08Fh |
call 00007F98A4E3F6C2h |
test al, al |
jne 00007F98A4E3EAD6h |
xor al, al |
jmp 00007F98A4E3EAE6h |
call 00007F98A4E4E22Dh |
test al, al |
jne 00007F98A4E3EADBh |
xor ecx, ecx |
call 00007F98A4E3F6D2h |
jmp 00007F98A4E3EABCh |
mov al, bl |
dec eax |
add esp, 20h |
pop ebx |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
cmp byte ptr [000536F8h], 00000000h |
mov ebx, ecx |
jne 00007F98A4E3EB39h |
cmp ecx, 01h |
jnbe 00007F98A4E3EB3Ch |
call 00007F98A4E3F1EEh |
test eax, eax |
je 00007F98A4E3EAFAh |
test ebx, ebx |
jne 00007F98A4E3EAF6h |
dec eax |
lea ecx, dword ptr [000536E2h] |
call 00007F98A4E3EB1Eh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x42b80 | 0x1a4 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x42d24 | 0xdc | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x59000 | 0x434 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x56000 | 0x1c5c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x56200 | 0x2908 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x5a000 | 0x6cc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x3f880 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x3f8e0 | 0x138 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x34000 | 0x4d8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x3242c | 0x32600 | 4a92c57d1b12b27208391c4f3c5f65e1 | False | 0.49418908964019853 | data | 6.408955739465912 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x34000 | 0xfe1e | 0x10000 | a94837f7a4eddd9683742d584be57b4f | False | 0.4621429443359375 | data | 5.1503657728043954 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x44000 | 0x11cd8 | 0x10a00 | a5d9be9af76f07fd41ba9be2ad11bd0d | False | 0.16168350563909775 | data | 5.009557832575589 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x56000 | 0x1c5c | 0x1e00 | 71185e3d14e5e86c933c6538ad1f3d0f | False | 0.47408854166666664 | data | 5.1604041978171225 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_RDATA | 0x58000 | 0xfc | 0x200 | 306a8f944177c4b94b4132c82cf74cf2 | False | 0.306640625 | data | 1.9876897658321124 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x59000 | 0x434 | 0x600 | 124c05d17be7c3b0865c1fe8bdbc0bc0 | False | 0.349609375 | data | 4.638606943266937 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x5a000 | 0x6cc | 0x800 | 05300dc6bf3543a7ab6a06160c718171 | False | 0.5341796875 | data | 5.064355067037347 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x590a0 | 0x238 | data | English | United States | 0.5052816901408451 |
RT_MANIFEST | 0x592d8 | 0x15a | ASCII text, with CRLF line terminators | English | United States | 0.5491329479768786 |
DLL | Import |
---|---|
KERNEL32.dll | FindFirstFileW, SetLastError, FindNextFileW, TerminateProcess, WaitForMultipleObjects, SetEnvironmentVariableW, FindClose, WaitForSingleObject, GetSystemDirectoryW, UnmapViewOfFile, Sleep, GetFileAttributesExW, GetCurrentThread, GetCurrentDirectoryW, RtlCaptureStackBackTrace, GetModuleHandleW, FreeLibrary, CreateFileMappingW, MapViewOfFile, QueryPerformanceCounter, LoadLibraryExW, ReadFile, GetTempPathW, CreateSemaphoreW, LoadLibraryW, SetEndOfFile, HeapSize, GetStringTypeW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, CreateFileW, GetProcessId, RaiseException, LeaveCriticalSection, EnterCriticalSection, SetConsoleTextAttribute, GetConsoleScreenBufferInfo, GetProcessHeap, GetCurrentProcessId, LocalFree, HeapAlloc, DeleteProcThreadAttributeList, CloseHandle, UpdateProcThreadAttribute, GetLastError, lstrcmpA, GetCurrentThreadId, LocalAlloc, GetEnvironmentVariableA, GetEnvironmentVariableW, InitializeProcThreadAttributeList, GetModuleFileNameW, GetStdHandle, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, FlushFileBuffers, OutputDebugStringW, SetStdHandle, GetFileSizeEx, GetConsoleOutputCP, ReadConsoleW, GetConsoleMode, SetFilePointerEx, HeapReAlloc, LCMapStringW, SetThreadAffinityMask, ReleaseSemaphore, CompareStringW, GetCurrentProcess, HeapFree, GetModuleFileNameA, GetProcAddress, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, MultiByteToWideChar, WideCharToMultiByte, GetCommandLineW, GetCommandLineA, WriteFile, WriteConsoleW, __C_specific_handler, GetFileType, FreeLibraryAndExitThread, ExitThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetTimeZoneInformation, GetVersion, GetModuleHandleA, GetModuleHandleExW, ExitProcess, RtlPcToFileHeader, EncodePointer, RtlUnwindEx, TlsFree, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue |
USER32.dll | OpenInputDesktop, GetUserObjectInformationW, CloseDesktop |
ADVAPI32.dll | RegQueryValueExW, CreateProcessAsUserW, ReportEventW, RegCloseKey, RegOpenKeyExW, RegGetValueW |
libcrypto-3-x64.dll | EVP_md5, EVP_sha256, EVP_DigestUpdate, EVP_MD_CTX_free, EVP_DigestInit_ex, HMAC, EVP_MD_get_size, EVP_DigestFinal_ex, EVP_MD_CTX_new |
WINTRUST.dll | WinVerifyTrust |
CRYPT32.dll | CryptMsgClose, CryptQueryObject, CertCloseStore, CryptMsgGetParam, CryptDecodeObject |
dbghelp.dll | SymInitialize, SymGetLineFromAddr64, MiniDumpWriteDump, SymFromAddr |
ntdll.dll | RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext |
RPCRT4.dll | UuidCreate, RpcStringFreeW, UuidToStringW |
WTSAPI32.dll | WTSQueryUserToken |
Name | Ordinal | Address |
---|---|---|
get_environment_variable | 1 | 0x140021060 |
get_environment_variable_a | 2 | 0x140020f90 |
get_environment_variable_w | 3 | 0x140020eb0 |
get_module_file_name | 4 | 0x1400212f0 |
get_module_file_name_a | 5 | 0x140021220 |
get_module_file_name_w | 6 | 0x140021140 |
p_exception_esrv | 7 | 0x140055cc0 |
set_current_directory | 8 | 0x140021400 |
set_current_directory_a | 9 | 0x1400213f0 |
set_current_directory_w | 10 | 0x1400213e0 |
sh_get_known_folder_path | 11 | 0x140020e80 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 14:39:32 |
Start date: | 20/04/2024 |
Path: | C:\Users\user\Desktop\task.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6ba7d0000 |
File size: | 363'272 bytes |
MD5 hash: | 8A02BF22F75FBF6A3C9172238717BA4C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 14:39:32 |
Start date: | 20/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6684c0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |