Windows
Analysis Report
SaturdayNight.exe
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- SaturdayNight.exe (PID: 7104 cmdline:
"C:\Users\ user\Deskt op\Saturda yNight.exe " MD5: 67BCE1B3B40E27AEA7B0B2C7AD5A689C) - conhost.exe (PID: 7132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- LogonUI.exe (PID: 2088 cmdline:
"LogonUI.e xe" /flags :0x4 /stat e0:0xa3fbe 055 /state 1:0x41c64e 6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
- cdd.dll (PID: 4 cmdline:
MD5: 9B684213A399B4E286982BDAD6CF3D07)
- fontdrvhost.exe (PID: 7152 cmdline:
"fontdrvho st.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
- LogonUI.exe (PID: 7000 cmdline:
"LogonUI.e xe" /flags :0x2 /stat e0:0xa3f48 055 /state 1:0x41c64e 6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
- cdd.dll (PID: 4 cmdline:
MD5: 9B684213A399B4E286982BDAD6CF3D07)
- LogonUI.exe (PID: 6940 cmdline:
"LogonUI.e xe" /flags :0x2 /stat e0:0xa3f57 855 /state 1:0x41c64e 6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
- fontdrvhost.exe (PID: 1744 cmdline:
"fontdrvho st.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
- cdd.dll (PID: 4 cmdline:
MD5: 9B684213A399B4E286982BDAD6CF3D07)
- fontdrvhost.exe (PID: 6212 cmdline:
"fontdrvho st.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
- LogonUI.exe (PID: 6712 cmdline:
"LogonUI.e xe" /flags :0x2 /stat e0:0xa3f60 855 /state 1:0x41c64e 6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
- cdd.dll (PID: 4 cmdline:
MD5: 9B684213A399B4E286982BDAD6CF3D07)
- LogonUI.exe (PID: 6388 cmdline:
"LogonUI.e xe" /flags :0x2 /stat e0:0xa3f68 055 /state 1:0x41c64e 6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
- fontdrvhost.exe (PID: 6208 cmdline:
"fontdrvho st.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
- cdd.dll (PID: 4 cmdline:
MD5: 9B684213A399B4E286982BDAD6CF3D07)
- LogonUI.exe (PID: 2484 cmdline:
"LogonUI.e xe" /flags :0x2 /stat e0:0xa3f70 055 /state 1:0x41c64e 6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
- cleanup
Source: | Author: Max Altgelt (Nextron Systems): |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | Code function: | 0_2_005B1B80 |
Source: | Code function: | 0_2_005B15B0 |
Source: | Driver loaded: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_005B1B80 |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | System information queried: | Jump to behavior |
Source: | Code function: | 0_2_005B3499 |
Source: | Code function: | 0_2_005B315E | |
Source: | Code function: | 0_2_005B35FE | |
Source: | Code function: | 0_2_005B3499 |
Source: | Code function: | 0_2_005B32B5 |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_005B36E7 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 LSASS Driver | 1 Access Token Manipulation | 1 Access Token Manipulation | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 LSASS Driver | 1 Process Injection | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 Process Injection | 1 DLL Side-Loading | Security Account Manager | 23 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
29% | ReversingLabs | Win32.Trojan.Znyonm | ||
10% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bg.microsoft.map.fastly.net | 199.232.210.172 | true | false |
| unknown |
api.msn.com | unknown | unknown | false | high |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431507 |
Start date and time: | 2024-04-25 11:10:05 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 21s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 36 |
Number of new started drivers analysed: | 5 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Sample name: | SaturdayNight.exe |
Detection: | MAL |
Classification: | mal52.winEXE@12/1@1/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Connection to analysis system has been lost, crash info: Unknown
- Exclude process from analysis (whitelisted): smss.exe, dwm.exe, csrss.exe, winlogon.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.55.253.34, 40.127.169.103, 40.126.29.10, 20.190.157.11, 40.126.29.13, 40.126.29.8, 40.126.29.5, 40.126.29.9, 40.126.29.11, 40.126.29.7, 23.39.7.73, 23.4.36.190, 204.79.197.203, 23.1.33.213, 23.1.33.202, 13.107.22.200, 131.253.33.200, 23.47.204.79, 23.47.204.45
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, p-static.bing.trafficmanager.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, cdn.onenote.net.edgekey.net, e86303.dscx.akamaiedge.net, login.live.com, wildcard.weather.microsoft.com.edgekey.net, e16604.g.akamaiedge.net, r.bing.com, www-bing-com.dual-a-0001.a-msedge.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, r.bing.com.edgekey.net, a-0003.a-msedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, dual-a-0001.dc-msedge.net, e1553.dspg.akamaiedge.net, wwwprod.www-bing-com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, api-msn-com.a-0003.a-msedge
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
bg.microsoft.map.fastly.net | Get hash | malicious | FormBook, GuLoader | Browse |
| |
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LonePage | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AsyncRAT, PureLog Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\SaturdayNight.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13688 |
Entropy (8bit): | 2.3523521088681463 |
Encrypted: | false |
SSDEEP: | 96:kv6i/d+OlhdBJg3sQY/6GOeLm1ltB8/NlAENIyRSe/mgvqWRqnSDuk2AcExcLcxJ:kvN/UOqdi6GzLFusv5vqzAYO |
MD5: | BA7D42F7DE428972ADD943849A500E34 |
SHA1: | 5F99FC14F57D084AB3FE8D091C8A8D8F440F964F |
SHA-256: | 9AB2668A2FF776B90436B7E00F581BE9864D8773C36313A7A26BC92CDFC3B07F |
SHA-512: | EDDF9E7B0DEA83253CF9A204C0CCB895BB690A0DCE49778937B313DA04C41AA84A4219A62D7C46FB1F88D1B677390176ED7A340477BAACF3CD2CA29FCFFB9602 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 5.380354613992533 |
TrID: |
|
File name: | SaturdayNight.exe |
File size: | 35'328 bytes |
MD5: | 67bce1b3b40e27aea7b0b2c7ad5a689c |
SHA1: | 0c13e6d533c6aca87184b6f0d1fc0e6062094666 |
SHA256: | 89e22471cada6ad8f4da2a73ed2bc168314d57606ba7f659384f1781c167cba7 |
SHA512: | 6ff5396de0eb4e4afb12e2038b2dc8ec2d7f2bfecf6b9d9c298f77a37bfbfdcdda4022f043b76382a1080fdda0b545014da4bda13dd2f8a8fe87070a9706b505 |
SSDEEP: | 384:ZSolOGGxaNS9FpPkFiOxa+yu7A0DQOdDJ5O0jOQGEYgXCAmyYCuq1qRUdnM5BWQK:IqiOxh/DTDDOpTgXXgQW5BW4dc |
TLSH: | F1F28F72FB424D6CF614C1BE54EA29B8857E51EB4F62C2B3F38C6D9903ED3C19422259 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..;4..;4..;4..2L#.14...K.."4...K..74...K..>4...K..?4...D..:4...D..24..;4..b4......:4....O.:4......:4..Rich;4................. |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x403154 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x650677EC [Sun Sep 17 03:52:12 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 98dff28d0a554cb39bc5fad723cfb9f1 |
Instruction |
---|
call 00007FC1545F6B40h |
jmp 00007FC1545F63D9h |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [0040402Ch] |
push dword ptr [ebp+08h] |
call dword ptr [00404028h] |
push C0000409h |
call dword ptr [00404038h] |
push eax |
call dword ptr [00404030h] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call dword ptr [00404044h] |
test eax, eax |
je 00007FC1545F6567h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [004091C8h], eax |
mov dword ptr [004091C4h], ecx |
mov dword ptr [004091C0h], edx |
mov dword ptr [004091BCh], ebx |
mov dword ptr [004091B8h], esi |
mov dword ptr [004091B4h], edi |
mov word ptr [004091E0h], ss |
mov word ptr [004091D4h], cs |
mov word ptr [004091B0h], ds |
mov word ptr [004091ACh], es |
mov word ptr [004091A8h], fs |
mov word ptr [004091A4h], gs |
pushfd |
pop dword ptr [004091D8h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [004091CCh], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [004091D0h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [004091DCh], eax |
mov eax, dword ptr [ebp-00000324h] |
mov dword ptr [00409118h], 00010001h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8244 | 0xf0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xa000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb000 | 0x3a4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x79a0 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x78e0 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x4000 | 0x160 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2e67 | 0x3000 | 97e2739f30605ea640043d201c2135f1 | False | 0.57763671875 | data | 6.352534657414724 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x4000 | 0x4cb6 | 0x4e00 | b84470cc23d6b55e09b97e3f25d8f49e | False | 0.28630809294871795 | data | 3.881810892385155 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x448 | 0x200 | 2b74e32789c0fcfbe56806b059435b38 | False | 0.20703125 | data | 1.799784447615981 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xa000 | 0x1e0 | 0x200 | 101f04294dcfeea9dfe10d3c920461d9 | False | 0.529296875 | data | 4.701503258251789 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xb000 | 0x3a4 | 0x400 | a155238d44033b143897e4063a094c71 | False | 0.8427734375 | data | 6.1513713381822175 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0xa060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
KERNEL32.dll | CreateFileW, CloseHandle, GetCurrentConsoleFontEx, GetConsoleWindow, SetCurrentConsoleFontEx, GetSystemTimeAsFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, GetStdHandle, GetCurrentProcess, IsDebuggerPresent, ReadFile, IsProcessorFeaturePresent, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, InitializeSListHead, GetModuleHandleW |
USER32.dll | ShowWindow, ExitWindowsEx |
ADVAPI32.dll | AdjustTokenPrivileges, OpenProcessToken, LookupPrivilegeValueW |
SHELL32.dll | SHGetKnownFolderPath |
MSVCP140.dll | _Xtime_get_ticks, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?good@ios_base@std@@QBE_NXZ, _Thrd_sleep, ?uncaught_exception@std@@YA_NXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, _Query_perf_frequency, _Query_perf_counter, ?_Xlength_error@std@@YAXPBD@Z |
VCRUNTIME140.dll | _except_handler4_common, memset, __current_exception_context, memmove, memcpy, _CxxThrowException, __std_terminate, __std_exception_copy, __std_exception_destroy, __CxxFrameHandler3, __current_exception |
api-ms-win-crt-runtime-l1-1-0.dll | __p___argv, _c_exit, _register_thread_local_exe_atexit_callback, _exit, _configure_narrow_argv, terminate, _controlfp_s, _initialize_narrow_environment, exit, __p___argc, _initialize_onexit_table, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _invalid_parameter_noinfo_noreturn |
api-ms-win-crt-heap-l1-1-0.dll | _callnewh, free, _set_new_mode, malloc |
api-ms-win-crt-math-l1-1-0.dll | __setusermatherr |
api-ms-win-crt-stdio-l1-1-0.dll | _set_fmode, __p__commode |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 25, 2024 11:11:15.389647007 CEST | 53126 | 53 | 192.168.2.4 | 1.1.1.1 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 25, 2024 11:11:15.389647007 CEST | 192.168.2.4 | 1.1.1.1 | 0x310d | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 25, 2024 11:11:12.903764009 CEST | 1.1.1.1 | 192.168.2.4 | 0x4958 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Apr 25, 2024 11:11:12.903764009 CEST | 1.1.1.1 | 192.168.2.4 | 0x4958 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Apr 25, 2024 11:11:15.499376059 CEST | 1.1.1.1 | 192.168.2.4 | 0x310d | No error (0) | api-msn-com.a-0003.a-msedge.net | CNAME (Canonical name) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 11:10:51 |
Start date: | 25/04/2024 |
Path: | C:\Users\user\Desktop\SaturdayNight.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x5b0000 |
File size: | 35'328 bytes |
MD5 hash: | 67BCE1B3B40E27AEA7B0B2C7AD5A689C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 11:10:52 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 11:10:55 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\LogonUI.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75ff10000 |
File size: | 13'824 bytes |
MD5 hash: | 893144FE49AA16124B5BD3034E79BBC6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 7 |
Start time: | 11:10:56 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\cdd.dll |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7714f0000 |
File size: | 267'264 bytes |
MD5 hash: | 9B684213A399B4E286982BDAD6CF3D07 |
Has elevated privileges: | |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 8 |
Start time: | 11:10:56 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\fontdrvhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff72c440000 |
File size: | 827'408 bytes |
MD5 hash: | BBCB897697B3442657C7D6E3EDDBD25F |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 9 |
Start time: | 11:10:56 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\LogonUI.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75ff10000 |
File size: | 13'824 bytes |
MD5 hash: | 893144FE49AA16124B5BD3034E79BBC6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 14 |
Start time: | 11:11:06 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\cdd.dll |
Wow64 process (32bit): | |
Commandline: | |
Imagebase: | |
File size: | 267'264 bytes |
MD5 hash: | 9B684213A399B4E286982BDAD6CF3D07 |
Has elevated privileges: | |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 15 |
Start time: | 11:11:06 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\LogonUI.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1d0000 |
File size: | 13'824 bytes |
MD5 hash: | 893144FE49AA16124B5BD3034E79BBC6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 16 |
Start time: | 11:11:06 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\fontdrvhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff72c440000 |
File size: | 827'408 bytes |
MD5 hash: | BBCB897697B3442657C7D6E3EDDBD25F |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 24 |
Start time: | 11:11:07 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\cdd.dll |
Wow64 process (32bit): | |
Commandline: | |
Imagebase: | |
File size: | 267'264 bytes |
MD5 hash: | 9B684213A399B4E286982BDAD6CF3D07 |
Has elevated privileges: | |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 25 |
Start time: | 11:11:07 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\fontdrvhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff72c440000 |
File size: | 827'408 bytes |
MD5 hash: | BBCB897697B3442657C7D6E3EDDBD25F |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 26 |
Start time: | 11:11:07 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\LogonUI.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75ff10000 |
File size: | 13'824 bytes |
MD5 hash: | 893144FE49AA16124B5BD3034E79BBC6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 31 |
Start time: | 11:11:09 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\cdd.dll |
Wow64 process (32bit): | |
Commandline: | |
Imagebase: | |
File size: | 267'264 bytes |
MD5 hash: | 9B684213A399B4E286982BDAD6CF3D07 |
Has elevated privileges: | |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 32 |
Start time: | 11:11:09 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\LogonUI.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75ff10000 |
File size: | 13'824 bytes |
MD5 hash: | 893144FE49AA16124B5BD3034E79BBC6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 34 |
Start time: | 11:11:09 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\fontdrvhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff72c440000 |
File size: | 827'408 bytes |
MD5 hash: | BBCB897697B3442657C7D6E3EDDBD25F |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 39 |
Start time: | 11:11:11 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\cdd.dll |
Wow64 process (32bit): | |
Commandline: | |
Imagebase: | |
File size: | 267'264 bytes |
MD5 hash: | 9B684213A399B4E286982BDAD6CF3D07 |
Has elevated privileges: | |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Has exited: | false |
Target ID: | 40 |
Start time: | 11:11:11 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\LogonUI.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6ec4b0000 |
File size: | 13'824 bytes |
MD5 hash: | 893144FE49AA16124B5BD3034E79BBC6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Execution Graph
Execution Coverage: | 13.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 24.4% |
Total number of Nodes: | 320 |
Total number of Limit Nodes: | 6 |
Graph
Callgraph
Function 005B1B80 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 313shutdownCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B310D Relevance: 3.0, APIs: 2, Instructions: 20COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B15B0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 396fileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B3499 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B32B5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B35FE Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B2F0D Relevance: 12.1, APIs: 8, Instructions: 56COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B2C5B Relevance: 7.6, APIs: 5, Instructions: 60COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B26E0 Relevance: 6.1, APIs: 4, Instructions: 126COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B2090 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B11D0 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 005B2C4D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |