Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ereborlugimli.sys

Overview

General Information

Sample name:ereborlugimli.sys
Analysis ID:1431620
MD5:eebfa46f56e02488c933c3d6f289c7c2
SHA1:d3cc699a04936324ab29a31a283ea309a10ab27a
SHA256:bcbb40015ac5a9fa84232be932a12c0f37c7b482af434eb092f4b25fae706da9
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: unsuccessful

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

PE / OLE file has an invalid certificate

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ereborlugimli.sysStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: ereborlugimli.sysStatic PE information: invalid certificate
Source: classification engineClassification label: unknown0.winSYS@0/0@0/0
Source: ereborlugimli.sysStatic PE information: Image base 0x140000000 > 0x60000000
Source: ereborlugimli.sysStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: ereborlugimli.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ereborlugimli.sys0%ReversingLabs
ereborlugimli.sys3%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1431620
Start date and time:2024-04-25 14:37:45 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:ereborlugimli.sys
Detection:UNKNOWN
Classification:unknown0.winSYS@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .sys
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: unsuccessful

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):5.4892453267398835
TrID:
  • Win64 Device Driver (generic) (12004/3) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:ereborlugimli.sys
File size:40'384 bytes
MD5:eebfa46f56e02488c933c3d6f289c7c2
SHA1:d3cc699a04936324ab29a31a283ea309a10ab27a
SHA256:bcbb40015ac5a9fa84232be932a12c0f37c7b482af434eb092f4b25fae706da9
SHA512:1805173b1ac66fabef3873e79d522b131e710416b6214607f31b8465be390b7b39392f6d29ce42f5a035d914ad47903138c072dc088892bc12ff10cd5417c849
SSDEEP:768:9WaauVbAKn/4bLQ2NMkrWkmpuz7XcVZD59mk1nlv4phOPZsnF:Ztl/4uqIuz7sNP+hOPQF
TLSH:67036D56608D22D1E5AA82FEC9B21346EBB0F4052B5641EF17D084796F73FF1653E312
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.h)...z...z...zH..{...z...z...zH..{...zH..{...zH..{...z...zT..z...{...z...{...z*{.{...z*{.{...zRich...z................PE..d..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x140005300
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:native
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:0x661FCED5 [Wed Apr 17 13:29:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:f2cad1d5d91168e86a6c53144b03fcac

Authenticode Signature

Signature Valid:false
Signature Issuer:CN="WDKTestCert ereborlugimli,133486784345788048"
Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:-2146762487
Not Before, Not After
  • 02/01/2024 15:13:54 02/01/2034 01:00:00
Subject Chain
  • CN="WDKTestCert ereborlugimli,133486784345788048"
Version:3
Thumbprint MD5:8E0BF598C15987C560A427F6F129C58B
Thumbprint SHA-1:56200EF9746583E6E970212CCC978745998AA334
Thumbprint SHA-256:3E52D973FB09E5D53ECB464F3CE5AC34E12B49E3F3F7E993EFB7ADD6A6343ECF
Serial:54E89F00DEC44E9F40393A392B136944

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
mov ebx, edx
dec eax
mov edi, ecx
call 00007FBBDCBCD830h
dec eax
mov edx, ebx
dec eax
mov ecx, edi
call 00007FBBDCBC78B1h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
add esp, 20h
pop edi
ret
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 30h
xor ebp, ebp
dec eax
mov esi, edx
dec eax
mov edi, ecx
dec eax
test ecx, ecx
jne 00007FBBDCBC78ACh
call 00007FBBDCBCD54Eh
jmp 00007FBBDCBC7966h
dec eax
lea eax, dword ptr [00003DFDh]
dec eax
mov dword ptr [0000402Eh], edi
dec esp
lea esi, dword ptr [00004007h]
mov dword ptr [00003FFDh], 02080000h
dec ecx
mov ecx, esi
dec eax
mov dword ptr [00003FFBh], eax
dec eax
call dword ptr [00000ED4h]
nop dword ptr [eax+eax+00h]
dec esp
lea ecx, dword ptr [00003FF8h]
dec ecx
mov edx, esi
dec esp
lea eax, dword ptr [00003B2Eh]
dec eax
mov ecx, edi
call 00007FBBDCBC7CF5h
test eax, eax
js 00007FBBDCBC7911h
dec eax
mov eax, dword ptr [00003FD3h]
dec eax
lea ecx, dword ptr [00003B14h]
dec eax
mov edx, dword ptr [eax+00000648h]
dec eax
mov dword ptr [00003F9Eh], edx

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xb3040x50INIT
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0xa0000x390.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x96000x7c0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000x34.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x67600x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x66200x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x60000x2a0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x4c620x4e00c0258e7befa15930586285e4046ee378False0.5534855769230769data6.165753815512331IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x60000xf140x10000a3fa804999c52854ae217e7fc365aa3False0.430419921875data4.677497907989505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data0x70000x23e80x200031c0799eaf27c53966c9756388c40e82False0.082275390625data1.6936198921249268IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0xa0000x3900x400a6a9f134291759ab74045efaaf1c550aFalse0.5205078125data3.9352782596690434IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
INIT0xb0000xd400xe00f3d95e21bf680c9f6003e1ffce7192c1False0.51171875zlib compressed data5.499127463167882IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc0xc0000x340x2009a8070284216bfef1594c635cb087f12False0.123046875data0.6688615316230119IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
NETIO.SYSWskCaptureProviderNPI, WskReleaseProviderNPI, WskQueryProviderCharacteristics, WskDeregister, WskRegister
ntoskrnl.exeExFreePoolWithTag, ZwCreateFile, ZwQueryInformationFile, ZwWriteFile, ZwClose, _vsnwprintf, atoi, KeInitializeEvent, KeClearEvent, KeInitializeSemaphore, KeDelayExecutionThread, KeWaitForSingleObject, KeInitializeSpinLock, KeAcquireSpinLockRaiseToDpc, KeReleaseSpinLock, ExInterlockedInsertTailList, ExInterlockedRemoveHeadList, ExInitializeResourceLite, ExEnterCriticalRegionAndAcquireResourceExclusive, ExReleaseResourceAndLeaveCriticalRegion, ExDeleteResourceLite, PsCreateSystemThread, PsTerminateSystemThread, IoBuildSynchronousFsdRequest, IofCallDriver, IoCancelIrp, IofCompleteRequest, IoCreateDevice, IoDeleteDevice, IoReleaseCancelSpinLock, IoReleaseRemoveLockEx, ObfDereferenceObject, ObReferenceObjectByName, ExAllocatePoolWithTag, strncmp, strstr, ObReferenceObjectByHandleWithTag, ObfDereferenceObjectWithTag, ZwReadFile, __chkstk, PsThreadType, MmGetSystemRoutineAddress, RtlGetVersion, KeSetEvent, MmProbeAndLockPages, MmUnlockPages, IoAllocateIrp, IoAllocateMdl, IoFreeIrp, IoFreeMdl, __C_specific_handler, ExAcquireFastMutex, ExReleaseFastMutex, ExQueryDepthSList, ExpInterlockedPopEntrySList, ExpInterlockedPushEntrySList, ExInitializeNPagedLookasideList, ExDeleteNPagedLookasideList, RtlInitializeGenericTableAvl, RtlInsertElementGenericTableAvl, RtlDeleteElementGenericTableAvl, RtlLookupElementGenericTableAvl, RtlGetElementGenericTableAvl, isdigit, RtlCopyUnicodeString, DbgPrintEx, RtlAnsiStringToUnicodeString, RtlInitUnicodeString, RtlInitAnsiString, strchr, IoDriverObjectType
WDFLDR.SYSWdfVersionBindClass, WdfVersionUnbind, WdfLdrQueryInterface, WdfVersionBind, WdfVersionUnbindClass

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly