Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MSIAB95.exe

Overview

General Information

Sample name:MSIAB95.exe
Analysis ID:1430556
MD5:f49fa6e44a93ccd5d9b9630c82176c15
SHA1:36a68eeac8258f807cad278e2e40795e6b0b2d49
SHA256:17724c4058cd5fcf0fff240a819440252d1f9abb4d649d31811766086431f799
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • MSIAB95.exe (PID: 7716 cmdline: "C:\Users\user\Desktop\MSIAB95.exe" MD5: F49FA6E44A93CCD5D9B9630C82176C15)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: MSIAB95.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: MSIAB95.exe, 00000000.00000002.1623451368.00000000004AD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFMPro_PreInstall_BU.exe vs MSIAB95.exe
Source: MSIAB95.exeBinary or memory string: OriginalFilenameFMPro_PreInstall_BU.exe vs MSIAB95.exe
Source: MSIAB95.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: MSIAB95.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\MSIAB95.exeMutant created: NULL
Source: MSIAB95.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MSIAB95.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: MSIAB95.exeString found in binary or memory: CommentsPre-Install Backup Utility0
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeSection loaded: asycfilt.dllJump to behavior
Source: MSIAB95.exeStatic PE information: section name: .text entropy: 7.960976119041043
Source: C:\Users\user\Desktop\MSIAB95.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MSIAB95.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		2
Software Packing		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MSIAB95.exe7%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1430556
Start date and time:2024-04-23 21:44:13 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 52s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:MSIAB95.exe
Detection:CLEAN
Classification:clean1.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 3
  • Number of non-executed functions: 1
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • VT rate limit hit for: MSIAB95.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.923561136935899
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.15%
  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:MSIAB95.exe
File size:712'704 bytes
MD5:f49fa6e44a93ccd5d9b9630c82176c15
SHA1:36a68eeac8258f807cad278e2e40795e6b0b2d49
SHA256:17724c4058cd5fcf0fff240a819440252d1f9abb4d649d31811766086431f799
SHA512:382115a75b2eeaddd0394cc049b3470e4e5ccedb3fd0f3dddadbed48fc390c7cfffc0deb8b63b3e9f60b26d09e003694f4d02961daa474965cb6947116304649
SSDEEP:12288:RhGnFG311Ie2IVMoe5GefmIhkZRkn5yX5CIV3pHQSSDp/:w0Id4/hefPkb+5cCI7/SR
TLSH:76E42392EBB0A9F5FE924E701E11DDA48C1B7C18CF055DAD814D67148EB0F8EA0F6792
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...w..G..................... ....................@................

File Icon

Icon Hash:00869eb0b230201f

Static PE Info

General

Entrypoint:0x401310
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x47A8B977 [Tue Feb 5 19:31:03 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:5f9c64e01f118a722800e5185355296d

Entrypoint Preview

Instruction
push 004A9A14h
call 00007F136886DFD5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, dh
jmp far 4A4Ah : 493B1FCEh
sahf
and eax, 0120F641h
xor al, A6h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
sub eax, 30303043h
sub eax, 72504D46h
outsd
pop edi
push eax
jc 00007F136886E047h
dec ecx
outsb
jnc 00007F136886E056h
popad
insb
insb
inc edx
push ebp
add byte ptr [ebx], ah
pop esp
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add eax, esi
mov bl, byte ptr [edi-08h]
sbb eax, B9499C9Bh
or cl, dl
je 00007F136886DFC3h
mov edx, AA67D5C9h
loop 00007F136886DFE4h
je 00007F136886DFB4h
sbb dword ptr [edx-6Dh], eax
mov edi, 949B01D4h
cmpsd
mov ebp, 33AD4F3Ah
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
outsb
test dword ptr [edx], ecx
add byte ptr [ecx+00h], ch
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [esi+72h], ah
insd
push ebx
jo 00007F136886E04Eh
popad
jnc 00007F136886E04Ah
add byte ptr [00000001h], cl

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xab8340x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0xad0000x960.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
IMAGE_DIRECTORY_ENTRY_IAT0x10000x124.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xaad680xab00090428f8781594233c97609b2d1002903False0.9908068919042398data7.960976119041043IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xac0000xaac0x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0xad0000x9600x10002fdf027e103052033309c4b49695018cFalse0.177978515625data2.099832655147049IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xad8300x130Device independent bitmap graphic, 32 x 64 x 1, image size 2560.3223684210526316
RT_ICON0xad5480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.19623655913978494
RT_ICON0xad4200x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.4155405405405405
RT_GROUP_ICON0xad3f00x30data1.0
RT_VERSION0xad1500x2a0dataEnglishUnited States0.46130952380952384

Imports

DLLImport
MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaWriteFile, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaI2I4, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, __vbaInputFile, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaVarCat, __vbaI2Var, __vbaStopExe, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaI4ErrVar, __vbaFreeStr, __vbaFreeObj

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:21:44:58
Start date:23/04/2024
Path:C:\Users\user\Desktop\MSIAB95.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\MSIAB95.exe"
Imagebase:0x400000
File size:712'704 bytes
MD5 hash:F49FA6E44A93CCD5D9B9630C82176C15
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:39.3%
    Dynamic/Decrypted Code Coverage:3%
    Signature Coverage:0%
    Total number of Nodes:67
    Total number of Limit Nodes:14
    execution_graph 134 401310 #100 221 4ab419 __vbaFreeStr 135 4aab80 136 4aabc2 135->136 137 4aac07 136->137 138 4aabf7 __vbaNew2 136->138 139 4aac1d __vbaHresultCheckObj 137->139 140 4aac30 137->140 138->137 139->140 141 4aac4b __vbaHresultCheckObj 140->141 142 4aac56 __vbaInStr __vbaI2I4 __vbaFreeStr __vbaFreeObj 140->142 141->142 143 4aaca0 142->143 144 4aac90 __vbaNew2 142->144 145 4aacc1 143->145 146 4aacb6 __vbaHresultCheckObj 143->146 144->143 147 4aace1 11 API calls 145->147 148 4aacd6 __vbaHresultCheckObj 145->148 146->145 149 4aaefc __vbaStrCopy 147->149 150 4aada4 8 API calls 147->150 148->147 153 4aaf05 149->153 151 4ab35f __vbaErrorOverflow 150->151 152 4aae12 __vbaI2I4 __vbaInStr 150->152 152->151 154 4aae3b __vbaI2I4 152->154 180 4ab370 __vbaStrCopy __vbaStrToAnsi 153->180 154->151 156 4aae54 #632 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaLenBstr 154->156 156->151 158 4aaeac #632 __vbaStrVarMove __vbaStrMove __vbaFreeVarList 156->158 157 4aaf14 159 4aaf19 157->159 160 4aaf96 6 API calls 157->160 158->153 186 4ab450 __vbaStrCopy __vbaStrCopy __vbaStrToAnsi 159->186 161 4aafeb __vbaStrCat #529 __vbaFreeVar 160->161 162 4ab013 6 API calls 160->162 161->162 164 4ab068 6 API calls 162->164 165 4ab0a9 6 API calls 162->165 167 4ab126 6 API calls 164->167 165->167 168 4ab0fe __vbaStrCat #529 __vbaFreeVar 165->168 169 4ab17b 6 API calls 167->169 170 4ab1bc 6 API calls 167->170 168->167 171 4ab239 6 API calls 169->171 170->171 172 4ab211 __vbaStrCat #529 __vbaFreeVar 170->172 173 4ab28e 171->173 174 4ab2d2 __vbaEnd 171->174 172->171 176 4ab2a7 173->176 177 4ab297 __vbaNew2 173->177 175 4ab2d8 7 API calls 174->175 176->175 179 4ab2be __vbaHresultCheckObj 176->179 177->176 179->175 213 4aa3fc 180->213 182 4ab3cf __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 183 4aa2b8 182->183 184 4ab408 __vbaSetSystemError 183->184 185 4ab423 __vbaFreeStr 184->185 185->157 187 4aa3fc 186->187 188 4ab4df __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 187->188 189 4ab50e __vbaVarCopy 188->189 190 4ab54d __vbaStrToAnsi 188->190 215 4aa2b8 189->215 217 4aa448 190->217 214 4aa405 213->214 216 4aa2c1 215->216 218 4aa451 217->218 222 4aab10 223 4aab4f __vbaEnd 222->223 224 4aab65 223->224 225 4ab7b0 226 4ab7bf __vbaFreeStrList __vbaFreeVarList 225->226 227 4ab7b6 __vbaFreeVar 225->227 227->226 219 40112c __vbaExceptHandler 220 4ab2e6 __vbaFreeStrList __vbaFreeObj __vbaFreeVarList

    Callgraph

    Executed Functions

    Function 004AAB80 Relevance: 226.4, APIs: 119, Strings: 10, Instructions: 636fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 4aab80-4aabf5 2 4aac07-4aac1b 0->2 3 4aabf7-4aac01 __vbaNew2 0->3 5 4aac1d-4aac2e __vbaHresultCheckObj 2->5 6 4aac30 2->6 3->2 7 4aac36-4aac49 5->7 6->7 9 4aac4b-4aac54 __vbaHresultCheckObj 7->9 10 4aac56-4aac8e __vbaInStr __vbaI2I4 __vbaFreeStr __vbaFreeObj 7->10 9->10 11 4aaca0-4aacb4 10->11 12 4aac90-4aac9a __vbaNew2 10->12 14 4aacc1-4aacd4 11->14 15 4aacb6-4aacbf __vbaHresultCheckObj 11->15 12->11 17 4aace1-4aad9e #632 __vbaStrVarMove __vbaStrMove __vbaFreeObj __vbaFreeVarList __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 14->17 18 4aacd6-4aacdf __vbaHresultCheckObj 14->18 15->14 19 4aaefc-4aaeff __vbaStrCopy 17->19 20 4aada4-4aae0c __vbaStrCat __vbaStrMove __vbaFileOpen __vbaFreeStr __vbaInputFile * 2 __vbaFileClose __vbaInStr 17->20 18->17 23 4aaf05-4aaf17 call 4ab370 19->23 21 4ab35f-4ab365 __vbaErrorOverflow 20->21 22 4aae12-4aae35 __vbaI2I4 __vbaInStr 20->22 22->21 24 4aae3b-4aae4e __vbaI2I4 22->24 29 4aaf19-4aaf94 call 4ab450 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCat __vbaStrMove __vbaFileOpen __vbaFreeStr __vbaWriteFile __vbaFileClose 23->29 30 4aaf96-4aafe9 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 23->30 24->21 26 4aae54-4aaea6 #632 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaLenBstr 24->26 26->21 28 4aaeac-4aaefa #632 __vbaStrVarMove __vbaStrMove __vbaFreeVarList 26->28 28->23 32 4ab013-4ab066 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 29->32 31 4aafeb-4ab00d __vbaStrCat #529 __vbaFreeVar 30->31 30->32 31->32 34 4ab068-4ab0a7 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove #576 __vbaFreeStrList 32->34 35 4ab0a9-4ab0fc __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 32->35 37 4ab126-4ab179 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 34->37 35->37 38 4ab0fe-4ab120 __vbaStrCat #529 __vbaFreeVar 35->38 39 4ab17b-4ab1ba __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove #576 __vbaFreeStrList 37->39 40 4ab1bc-4ab20f __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 37->40 38->37 41 4ab239-4ab28c __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 39->41 40->41 42 4ab211-4ab233 __vbaStrCat #529 __vbaFreeVar 40->42 43 4ab28e-4ab295 41->43 44 4ab2d2 __vbaEnd 41->44 42->41 46 4ab2a7-4ab2bc 43->46 47 4ab297-4ab2a1 __vbaNew2 43->47 45 4ab2d8-4ab33f __vbaFreeStr * 7 44->45 46->45 50 4ab2be-4ab2d0 __vbaHresultCheckObj 46->50 47->46 50->45
    APIs
    • __vbaNew2.MSVBVM60(004AA210,004AC38C), ref: 004AAC01
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004AA200,00000014), ref: 004AAC2C
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004AA220,00000050), ref: 004AAC54
    • __vbaInStr.MSVBVM60(00000000,004AA234,?,00000001), ref: 004AAC62
    • __vbaI2I4.MSVBVM60 ref: 004AAC6A
    • __vbaFreeStr.MSVBVM60 ref: 004AAC76
    • __vbaFreeObj.MSVBVM60 ref: 004AAC85
    • __vbaNew2.MSVBVM60(004AA210,004AC38C), ref: 004AAC9A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004AA200,00000014), ref: 004AACBF
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004AA220,00000050), ref: 004AACDF
    • #632.MSVBVM60(?,?,00000001,?), ref: 004AAD11
    • __vbaStrVarMove.MSVBVM60(?), ref: 004AAD1B
    • __vbaStrMove.MSVBVM60 ref: 004AAD2C
    • __vbaFreeObj.MSVBVM60 ref: 004AAD31
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004AAD3D
    • __vbaStrCat.MSVBVM60(\FMPro_InstallPath,?), ref: 004AAD55
    • #645.MSVBVM60(?,00000000), ref: 004AAD63
    • __vbaStrMove.MSVBVM60 ref: 004AAD6E
    • __vbaStrCmp.MSVBVM60(004AA268,00000000), ref: 004AAD76
    • __vbaFreeStr.MSVBVM60 ref: 004AAD89
    • __vbaFreeVar.MSVBVM60 ref: 004AAD92
    • __vbaStrCat.MSVBVM60(\FMPro_InstallPath,?), ref: 004AADAA
    • __vbaStrMove.MSVBVM60 ref: 004AADB1
    • __vbaFileOpen.MSVBVM60(00000001,000000FF,00000001,00000000), ref: 004AADBA
    • __vbaFreeStr.MSVBVM60 ref: 004AADC3
    • __vbaInputFile.MSVBVM60(004AA270,00000001,?), ref: 004AADDA
    • __vbaInputFile.MSVBVM60(004AA270,00000001,?), ref: 004AADE7
    • __vbaFileClose.MSVBVM60(00000001), ref: 004AADEE
    • __vbaInStr.MSVBVM60(00000000,004AA278,?,00000001), ref: 004AAE01
    • __vbaI2I4.MSVBVM60 ref: 004AAE12
    • __vbaInStr.MSVBVM60(00000000,004AA234,?,6CB0ACE1), ref: 004AAE2A
    • __vbaI2I4.MSVBVM60 ref: 004AAE3B
    • #632.MSVBVM60(?,00004002,6CB0ACE1,?), ref: 004AAE70
    • __vbaStrVarMove.MSVBVM60(?), ref: 004AAE7A
    • __vbaStrMove.MSVBVM60 ref: 004AAE85
    • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 004AAE91
    • __vbaLenBstr.MSVBVM60(?), ref: 004AAE9E
    • #632.MSVBVM60(?,00004008,6CB0ACE1,00000002), ref: 004AAED0
    • __vbaStrVarMove.MSVBVM60(?), ref: 004AAEDA
    • __vbaStrMove.MSVBVM60 ref: 004AAEE5
    • __vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 004AAEF1
    • __vbaStrCopy.MSVBVM60 ref: 004AAEFF
    • __vbaStrVarMove.MSVBVM60(?,?,80000002,SOFTWARE\ODBC\ODBC.ini\FMPro,DBQ,80000002,SOFTWARE\ODBC\ODBC.ini\FMPro), ref: 004AAF35
    • __vbaStrMove.MSVBVM60 ref: 004AAF40
    • __vbaFreeVar.MSVBVM60 ref: 004AAF45
    • __vbaStrCat.MSVBVM60(\FMPro_BU_DSN.ini,?), ref: 004AAF54
    • __vbaStrMove.MSVBVM60 ref: 004AAF5B
    • __vbaFileOpen.MSVBVM60(00000002,000000FF,00000001,00000000), ref: 004AAF64
    • __vbaFreeStr.MSVBVM60 ref: 004AAF6D
    • __vbaWriteFile.MSVBVM60(004AA544,00000001,DSNPath,?), ref: 004AAF83
    • __vbaFileClose.MSVBVM60(00000001), ref: 004AAF8E
    • __vbaStrCat.MSVBVM60(\FMPro_BU_DSN.ini,?,80000002,SOFTWARE\ODBC\ODBC.ini\FMPro), ref: 004AAF9F
    • #645.MSVBVM60(?,00000000), ref: 004AAFB1
    • __vbaStrMove.MSVBVM60 ref: 004AAFBC
    • __vbaStrCmp.MSVBVM60(004AA268,00000000), ref: 004AAFC4
    • __vbaFreeStr.MSVBVM60 ref: 004AAFD7
    • __vbaFreeVar.MSVBVM60 ref: 004AAFE0
    • __vbaStrCat.MSVBVM60(\FMPro_BU_DSN.ini,?), ref: 004AAFF4
    • #529.MSVBVM60(00000008), ref: 004AB004
    • __vbaFreeVar.MSVBVM60 ref: 004AB00D
    • __vbaStrCat.MSVBVM60(\FMPro.ini,?), ref: 004AB01C
    • #645.MSVBVM60(00000008,00000000), ref: 004AB02E
    • __vbaStrMove.MSVBVM60 ref: 004AB039
    • __vbaStrCmp.MSVBVM60(004AA268,00000000), ref: 004AB041
    • __vbaFreeStr.MSVBVM60 ref: 004AB054
    • __vbaFreeVar.MSVBVM60 ref: 004AB05D
    • __vbaStrCat.MSVBVM60(\FMPro_BU_INI.ini,?), ref: 004AB071
    • __vbaStrMove.MSVBVM60 ref: 004AB078
    • __vbaStrCat.MSVBVM60(\FMPro.ini,?,00000000), ref: 004AB084
    • __vbaStrMove.MSVBVM60 ref: 004AB08B
    • #576.MSVBVM60(00000000), ref: 004AB08E
    • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 004AB09E
    • __vbaStrCat.MSVBVM60(\FMPro_BU_INI.ini,?), ref: 004AB0B2
    • #645.MSVBVM60(00000008,00000000), ref: 004AB0C4
    • __vbaStrMove.MSVBVM60 ref: 004AB0CF
    • __vbaStrCmp.MSVBVM60(004AA268,00000000), ref: 004AB0D7
    • __vbaFreeStr.MSVBVM60 ref: 004AB0EA
    • __vbaFreeVar.MSVBVM60 ref: 004AB0F3
    • __vbaStrCat.MSVBVM60(\FMPro_BU_INI.ini,?), ref: 004AB107
    • #529.MSVBVM60(00000008), ref: 004AB117
    • __vbaFreeVar.MSVBVM60 ref: 004AB120
    • __vbaStrCat.MSVBVM60(\FDATA\fmpro.mdb,?), ref: 004AB12F
    • #645.MSVBVM60(00000008,00000000), ref: 004AB141
    • __vbaStrMove.MSVBVM60 ref: 004AB14C
    • __vbaStrCmp.MSVBVM60(004AA268,00000000), ref: 004AB154
    • __vbaFreeStr.MSVBVM60 ref: 004AB167
    • __vbaFreeVar.MSVBVM60 ref: 004AB170
    • __vbaStrCat.MSVBVM60(\FMPro_BU_Data.mdb,?), ref: 004AB184
    • __vbaStrMove.MSVBVM60 ref: 004AB18B
    • __vbaStrCat.MSVBVM60(\FDATA\fmpro.mdb,?,00000000), ref: 004AB197
    • __vbaStrMove.MSVBVM60 ref: 004AB19E
    • #576.MSVBVM60(00000000), ref: 004AB1A1
    • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 004AB1B1
    • __vbaStrCat.MSVBVM60(\FMPro_BU_DATA.mdb,?), ref: 004AB1C5
    • #645.MSVBVM60(00000008,00000000), ref: 004AB1D7
    • __vbaStrMove.MSVBVM60 ref: 004AB1E2
    • __vbaStrCmp.MSVBVM60(004AA268,00000000), ref: 004AB1EA
    • __vbaFreeStr.MSVBVM60 ref: 004AB1FD
    • __vbaFreeVar.MSVBVM60 ref: 004AB206
    • __vbaStrCat.MSVBVM60(\FMPro_BU_DATA.mdb,?), ref: 004AB21A
    • #529.MSVBVM60(00000008), ref: 004AB22A
    • __vbaFreeVar.MSVBVM60 ref: 004AB233
    • __vbaStrCat.MSVBVM60(\FDATA\fmpro.mdb,?), ref: 004AB242
    • #645.MSVBVM60(00000008,00000000), ref: 004AB254
    • __vbaStrMove.MSVBVM60 ref: 004AB25F
    • __vbaStrCmp.MSVBVM60(004AA268,00000000), ref: 004AB267
    • __vbaFreeStr.MSVBVM60 ref: 004AB27A
    • __vbaFreeVar.MSVBVM60 ref: 004AB283
    • __vbaNew2.MSVBVM60(004A9D04,004AC010), ref: 004AB2A1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004AA0CC,000001BC), ref: 004AB2CA
    • __vbaEnd.MSVBVM60 ref: 004AB2D2
    • __vbaFreeStr.MSVBVM60(004AB340), ref: 004AB31F
    • __vbaFreeStr.MSVBVM60 ref: 004AB324
    • __vbaFreeStr.MSVBVM60 ref: 004AB329
    • __vbaFreeStr.MSVBVM60 ref: 004AB32E
    • __vbaFreeStr.MSVBVM60 ref: 004AB333
    • __vbaFreeStr.MSVBVM60 ref: 004AB338
    • __vbaFreeStr.MSVBVM60 ref: 004AB33D
    • __vbaErrorOverflow.MSVBVM60 ref: 004AB35F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1623367980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1623351437.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623430312.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623451368.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MSIAB95.jbxd
    Similarity
    • API ID: __vba$Free$Move$#645File$CheckHresultList$#529#632New2$#576CloseInputOpen$BstrCopyErrorOverflowWrite
    • String ID: DBQ$DSNPath$SOFTWARE\ODBC\ODBC.ini\FMPro$\FDATA\fmpro.mdb$\FMPro.ini$\FMPro_BU_DATA.mdb$\FMPro_BU_DSN.ini$\FMPro_BU_Data.mdb$\FMPro_BU_INI.ini$\FMPro_InstallPath
    • API String ID: 3668658785-2433679702
    • Opcode ID: 11950397b5cd1c8ad5e038dc7c8f2ea9d99712a55aae090e07a79cc0beec5f58
    • Instruction ID: d6edd376bdd02765aacfe3b7ed2d0ca74e74b99c9d523b04ab01a41fa6eaa464
    • Opcode Fuzzy Hash: 11950397b5cd1c8ad5e038dc7c8f2ea9d99712a55aae090e07a79cc0beec5f58
    • Instruction Fuzzy Hash: 79324D71E00208AFDB04DFE4DD89AEEBBB8FF55700F10812AE546A72A4DB741945CF59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004AB370 Relevance: 10.6, APIs: 7, Instructions: 58COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaStrCopy.MSVBVM60(6CA2A323,6CA3D8B1,00000000,?,?,?,?,00000000,00401166,80000002), ref: 004AB3AA
    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,00000000,00401166,80000002), ref: 004AB3BF
    • __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,?,00000000,00401166,80000002), ref: 004AB3D7
    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,00000000,00401166,80000002), ref: 004AB3E1
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00401166,80000002), ref: 004AB3F0
    • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000000,00401166,80000002), ref: 004AB40A
    • __vbaFreeStr.MSVBVM60(004AB42D,?,?,?,?,00000000,00401166,80000002), ref: 004AB426
    Memory Dump Source
    • Source File: 00000000.00000002.1623367980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1623351437.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623430312.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623451368.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MSIAB95.jbxd
    Similarity
    • API ID: __vba$ErrorFreeSystem$AnsiCopyUnicode
    • String ID:
    • API String ID: 1746161055-0
    • Opcode ID: 1a7e12c3a7cc14864d804180679477241650f0665aae9d518eb1236223065f67
    • Instruction ID: 842d1e07e5eb4cdcb7913cbb2799e0c6cdfab1b6554b26c8b438ce205c09c966
    • Opcode Fuzzy Hash: 1a7e12c3a7cc14864d804180679477241650f0665aae9d518eb1236223065f67
    • Instruction Fuzzy Hash: 5A11FCB1C002199BCF04DFA5D9459AEBBB8FB58700F00411AFA01B7261D7785945CBE9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401310 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 57 401310-40132d #100
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1623367980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1623351437.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623430312.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623451368.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MSIAB95.jbxd
    Similarity
    • API ID: #100
    • String ID: VB5!6&*
    • API String ID: 1341478452-3593831657
    • Opcode ID: 182d30dbcd5f2863b0857807cf8434fdd94f03892309d9481b45c9d2c417e104
    • Instruction ID: 001e0205aac9e156343b128877a2a1f1691d037d9c77c58782923abaf1794803
    • Opcode Fuzzy Hash: 182d30dbcd5f2863b0857807cf8434fdd94f03892309d9481b45c9d2c417e104
    • Instruction Fuzzy Hash: AAD0B68024E3D10FE70B22B818328462FB288236A031B05E3A9A0DF4A3846C1C49C73B
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 004AB450 Relevance: 58.8, APIs: 39, Instructions: 290COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaStrCopy.MSVBVM60(6CA2A323,6CA3D8B1,00000000), ref: 004AB4B1
    • __vbaStrCopy.MSVBVM60 ref: 004AB4B9
    • __vbaStrToAnsi.MSVBVM60(?,?,?), ref: 004AB4D3
    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004AB4E2
    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004AB4F6
    • __vbaFreeStr.MSVBVM60 ref: 004AB503
    • __vbaVarCopy.MSVBVM60 ref: 004AB522
    • __vbaSetSystemError.MSVBVM60(?), ref: 004AB534
    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?), ref: 004AB55F
    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004AB56E
    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004AB57C
    • __vbaFreeStr.MSVBVM60 ref: 004AB58A
    • __vbaVarCopy.MSVBVM60 ref: 004AB789
    • __vbaSetSystemError.MSVBVM60(?), ref: 004AB79B
    • __vbaFreeStr.MSVBVM60(004AB7F9), ref: 004AB7EC
    • __vbaFreeStr.MSVBVM60 ref: 004AB7F1
    • __vbaFreeStr.MSVBVM60 ref: 004AB7F6
    Memory Dump Source
    • Source File: 00000000.00000002.1623367980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1623351437.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623430312.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623451368.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MSIAB95.jbxd
    Similarity
    • API ID: __vba$Free$CopyErrorSystem$AnsiUnicode
    • String ID:
    • API String ID: 1917594350-0
    • Opcode ID: 2e330299fe83feba47680172663bfdfde7bfd828d92ef8b81d95af907bcebe66
    • Instruction ID: 85882800a0942fd2892873f333c97e44e2381914995ab74df3d52c86fe2af3ec
    • Opcode Fuzzy Hash: 2e330299fe83feba47680172663bfdfde7bfd828d92ef8b81d95af907bcebe66
    • Instruction Fuzzy Hash: 4AC1E2B1C00219DFCB14DFE4D9889EEBBB9FF99704F10812AE111A7251DB786946CF94
    Uniqueness

    Uniqueness Score: -1.00%