Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XMLFIDOI.EXE

Overview

General Information

Sample name:XMLFIDOI.EXE
Analysis ID:1431667
MD5:9fbaadc77c382318fd02a8c13a6ea9fb
SHA1:cbc5085be91a97cc6e250d27791671612112219f
SHA256:01425c7bfc6c890e8c0040b1edc6cb2d30c2da2d0ab5867f86471003d4415a82

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64_ra
  • XMLFIDOI.EXE (PID: 7092 cmdline: "C:\Users\user\Desktop\XMLFIDOI.EXE" MD5: 9FBAADC77C382318FD02A8C13A6EA9FB)
    • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: XMLFIDOI.EXEStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: XMLFIDOI.EXEStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: XMLFIDOI.EXEStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: XMLFIDOI.EXEStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engineClassification label: clean1.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Users\user\Desktop\XMLFIDOI.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\XMLFIDOI.EXE "C:\Users\user\Desktop\XMLFIDOI.EXE"
Source: C:\Users\user\Desktop\XMLFIDOI.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\XMLFIDOI.EXESection loaded: apphelp.dll
Source: C:\Users\user\Desktop\XMLFIDOI.EXESection loaded: oradbi.dll
Source: C:\Users\user\Desktop\XMLFIDOI.EXESection loaded: ace32.dll
Source: C:\Users\user\Desktop\XMLFIDOI.EXESection loaded: winui.dll
Source: C:\Users\user\Desktop\XMLFIDOI.EXESection loaded: statuscr.dll
Source: C:\Users\user\Desktop\XMLFIDOI.EXESection loaded: cvwseted.dll
Source: XMLFIDOI.EXEStatic file information: File size 1519616 > 1048576
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1431667
Start date and time:2024-04-25 15:53:59 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:XMLFIDOI.EXE
Detection:CLEAN
Classification:clean1.winEXE@2/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .EXE

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):7.068745079175078
TrID:
  • Win32 Executable (generic) a (10002005/4) 97.55%
  • Win32 Dynamic Link Library - Borland C/C++ (220703/53) 2.15%
  • Windows Screen Saver (13104/52) 0.13%
  • DOS Executable Borland C++ (13009/5) 0.13%
  • Generic Win/DOS Executable (2004/3) 0.02%
File name:XMLFIDOI.EXE
File size:1'519'616 bytes
MD5:9fbaadc77c382318fd02a8c13a6ea9fb
SHA1:cbc5085be91a97cc6e250d27791671612112219f
SHA256:01425c7bfc6c890e8c0040b1edc6cb2d30c2da2d0ab5867f86471003d4415a82
SHA512:331b7355dae74d84481af059f561665ba656284ed535010f444691c197e0c90c6a8f6cadccddc12dbb1e53ea9094560ac7681ee47081a625e298405f566c3d01
SSDEEP:24576:vIEqjYTw4i11VdOpW14yR9o9aT1XWR8F4NuqfS9QB4+Oe:vSCUV4y/o9aT1h2S9QBb
TLSH:38658E12FEA5C670D56001B04C67AB30497EB4CC6F41991B7BDC8A5DDEA26902ECB3B7
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x401000
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:0x4B538450 [Sun Jan 17 21:42:40 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:673513f8037d247bd8d94dc9dc79a438

Entrypoint Preview

Instruction
jmp 00007FAC64D1DCC2h
bound di, dword ptr [edx]
inc ebx
sub ebp, dword ptr [ebx]
dec eax
dec edi
dec edi
dec ebx
nop
jmp 00007FAC651CFE31h
mov eax, dword ptr [004B216Fh]
shl eax, 02h
mov dword ptr [004B2173h], eax
push edx
push 00000000h
call 00007FAC64DCE342h
mov edx, eax
call 00007FAC64DBDBDFh
pop edx
call 00007FAC64DBCF75h
call 00007FAC64DBDBD8h
push 00000000h
call 00007FAC64DBF179h
pop ecx
push 004B2118h
push 00000000h
call 00007FAC64DCE31Ch
mov dword ptr [004B2177h], eax
push 00000000h
jmp 00007FAC64DC8F48h
jmp 00007FAC64DBF1A7h
xor eax, eax
mov al, byte ptr [004B2161h]
ret
mov eax, dword ptr [004B2177h]
ret
pushad
mov ebx, BCB05000h
push ebx
push 00000BADh
ret
mov ecx, 000000A4h
or ecx, ecx
je 00007FAC64D1DCFFh
cmp dword ptr [004B216Fh], 00000000h
jnc 00007FAC64D1DCBCh
mov eax, 000000FEh
call 00007FAC64D1DC8Ch
mov ecx, 000000A4h
push ecx
push 00000008h
call 00007FAC64DCE2DFh
push eax
call 00007FAC64DCE333h
or eax, eax
jne 00007FAC64D1DCBCh
mov eax, 000000FDh
call 00007FAC64D1DC6Bh
push eax
push eax
push dword ptr [004B216Fh]
call 00007FAC64DC9112h
push dword ptr [004B216Fh]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0xf10000x1c7.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0xf00000xfb9.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xf20000x200.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xf30000xb19c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xef0000x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb10000xb0a00a35fb92f80b460e0bda180f3cd6e9928False0.4400806683474876DOS executable (COM)6.483884897273354IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xb20000x3c0000x298004efe47d04b9918a99415d35048e0c774False0.27747905685240964data4.915413158778947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0xee0000x10000x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0xef0000x10000x200c9404615cc7ff9cf88cdfcb48cac6a25False0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.idata0xf00000x10000x10006b17547d502f6bcf2e6e47f46d174355False0.344970703125data4.849758252523343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.edata0xf10000x10000x2005641e336738f17795529d67469094515False0.462890625data4.965024024529959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xf20000x10000x200860706baec5aa21d383b1cc98d0ad393False0.171875data0.9349951276464142IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xf30000x2540000x97000266d78ccde165143d860554fdc67522cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_RCDATA0xf20680x10data1.5

Imports

DLLImport
ORADBI.DLL
ACE32.DLL
WINUI.DLL
STATUSCR.DLL
CVWSETED.DLL
KERNEL32.DLLCloseHandle, CreateDirectoryA, CreateFileA, CreateProcessA, DeleteFileA, EnterCriticalSection, ExitProcess, FileTimeToDosDateTime, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindFirstFileA, FindNextFileA, FlushConsoleInputBuffer, FlushFileBuffers, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentDirectoryA, GetCurrentThreadId, GetDiskFreeSpaceA, GetDriveTypeA, GetEnvironmentStrings, GetExitCodeProcess, GetFileAttributesA, GetFileSize, GetFileTime, GetFileType, GetFullPathNameA, GetLargestConsoleWindowSize, GetLastError, GetLocalTime, GetLocaleInfoA, GetLogicalDrives, GetModuleFileNameA, GetModuleHandleA, GetNumberOfConsoleInputEvents, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemDefaultLangID, GetTickCount, GetTimeZoneInformation, GetUserDefaultLCID, GetVersion, GetVersionExA, GetVolumeInformationA, GlobalAlloc, GlobalFree, GlobalMemoryStatus, HeapAlloc, HeapFree, IsValidLocale, LCMapStringA, LeaveCriticalSection, LoadLibraryA, LockFile, MultiByteToWideChar, PeekConsoleInputA, RaiseException, ReadConsoleInputA, ReadFile, RemoveDirectoryA, RtlUnwind, SetConsoleCtrlHandler, SetConsoleMode, SetConsoleScreenBufferSize, SetConsoleWindowInfo, SetCurrentDirectoryA, SetEndOfFile, SetFilePointer, SetFileTime, SetHandleCount, SetLastError, SetThreadLocale, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnlockFile, VirtualAlloc, VirtualFree, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteConsoleInputA, WriteFile
USER32.DLLEnumThreadWindows, LoadCursorA, MessageBoxA, SetCursor, wsprintfA

Exports

NameOrdinalAddress
@BASE_ROW_SET_LIST_DATA_SOURCE@CloseList$qqsv30x48fc3c
@BASE_ROW_SET_LIST_DATA_SOURCE@GetData$qqspcus40x48fc50
@BASE_ROW_SET_LIST_DATA_SOURCE@GetProperty$qqspxcpcus60x48fcf4
@BASE_ROW_SET_LIST_DATA_SOURCE@OpenList$qqspxc20x48fc10
@BASE_ROW_SET_LIST_DATA_SOURCE@Rewind$qqsv50x48fcbc
@LINK_ROW_SET_LIST_DATA_SOURCE@GetProperty$qqspxcpcus70x48fd00
__GetExceptDLLinfo10x401059
___CPPdebugHook80x4b217c