Windows
Analysis Report
openurl.exe
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
- openurl.exe (PID: 4568 cmdline:
"C:\Users\ user\Deskt op\openurl .exe" MD5: C907C48492D52F2DE4C9B9E22C256742)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00771ED9 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00771C37 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_0077177E | |
Source: | Code function: | 0_2_00771C37 | |
Source: | Code function: | 0_2_00771DCA |
Source: | Code function: | 0_2_00771EFE |
Source: | Code function: | 0_2_00771B21 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 12 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | ReversingLabs |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431823 |
Start date and time: | 2024-04-25 20:44:58 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 38s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | openurl.exe |
Detection: | CLEAN |
Classification: | clean2.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target openurl.exe, PID 4568 because there are no executed function
File type: | |
Entropy (8bit): | 6.76336290594607 |
TrID: |
|
File name: | openurl.exe |
File size: | 28'496 bytes |
MD5: | c907c48492d52f2de4c9b9e22c256742 |
SHA1: | 4767e3c8a4f31628ef6e759def710e5dad46c1ee |
SHA256: | 1e69e00f0361e9a4d21b0386015c7b8d8186bec53ad325ea2c079441fcb37f62 |
SHA512: | 5ce8719a09b3b44c927696dd5dac8cbf88e7ac0fd0d73cc0248ea6df0f784db2266694487164c5e8ac8cd70fb327f6ee2bb529066df77b0e1d9eb7534fc3a7ae |
SSDEEP: | 384:W0u8hA4tY+FGJqwf+vCx4331FSsJrQDIYiBwHwJAM+o/8E9VF0NyWdUQp:W0De+FGYdvDTS+9YiBwQJAMxkEsp |
TLSH: | 06D26C53A6620421C7AAD934366492BD8437B2B68FF4C5D3B64DDC050BB43D1AEBC29F |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..kk...k...j...k...j...k...j...k...j...k...j...kq..j...k...ko..kH..j...kH..k...kH..j...kRich...k............... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x401774 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x653A0168 [Thu Oct 26 06:04:24 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 7ded77a493c412b7cf3fcbdff7eb4244 |
Signature Valid: | true |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | A9CA0963936C7546B2348E650C8D8514 |
Thumbprint SHA-1: | 8F5F832BA07AE78DC635886D20042C21300D5DB9 |
Thumbprint SHA-256: | 8A6407872F4E2E95BB570B1751BED91D0B9D0BC90643F8F9E505374BF77519AB |
Serial: | 0AB53526DD9E3F80814952E212FFB1C4 |
Instruction |
---|
call 00007F3D98DB559Ah |
jmp 00007F3D98DB501Fh |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [00403038h] |
push dword ptr [ebp+08h] |
call dword ptr [0040303Ch] |
push C0000409h |
call dword ptr [00403034h] |
push eax |
call dword ptr [00403030h] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call 00007F3D98DB5A90h |
test eax, eax |
je 00007F3D98DB51A7h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [00406238h], eax |
mov dword ptr [00406234h], ecx |
mov dword ptr [00406230h], edx |
mov dword ptr [0040622Ch], ebx |
mov dword ptr [00406228h], esi |
mov dword ptr [00406224h], edi |
mov word ptr [00406250h], ss |
mov word ptr [00406244h], cs |
mov word ptr [00406220h], ds |
mov word ptr [0040621Ch], es |
mov word ptr [00406218h], fs |
mov word ptr [00406214h], gs |
pushfd |
pop dword ptr [00406248h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [0040623Ch], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [00406240h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [0040624Ch], eax |
mov eax, dword ptr [ebp-00000324h] |
mov dword ptr [00406188h], 00010001h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3bf4 | 0xf0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7000 | 0x2f0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x4600 | 0x2950 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8000 | 0x3c4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x3410 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x3430 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3000 | 0x22c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x14bb | 0x1600 | e12640cc47c66ff997049de674eebcda | False | 0.6001420454545454 | data | 6.069138714519844 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3000 | 0x2182 | 0x2200 | dc5a3705dfc2b354b8b6ca937527d14d | False | 0.37741268382352944 | SysEx File - Matsushita | 5.178236114595099 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x6000 | 0x4a4 | 0x200 | 6fe65bd718b5bc543c2ba62d4a840b7a | False | 0.30859375 | data | 2.9718967515549712 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x7000 | 0x2f0 | 0x400 | e33ada534120cb3b2f206eb257e8373f | False | 0.400390625 | data | 4.287460805804473 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x8000 | 0x3c4 | 0x400 | 20c987d66827f430a6999a2b16f73379 | False | 0.85546875 | data | 6.2142258599387805 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x7060 | 0x289 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5500770416024653 |
DLL | Import |
---|---|
Qt5Widgets.dll | ?sizeHint@QWidget@@UBE?AVQSize@@XZ, ?tabletEvent@QWidget@@MAEXPAVQTabletEvent@@@Z, ?qt_metacast@QMainWindow@@UAEPAXPBD@Z, ?staticMetaObject@QMainWindow@@2UQMetaObject@@B, ?showEvent@QWidget@@MAEXPAVQShowEvent@@@Z, ?sharedPainter@QWidget@@MBEPAVQPainter@@XZ, ?setVisible@QWidget@@UAEX_N@Z, ?resizeEvent@QWidget@@MAEXPAVQResizeEvent@@@Z, ?redirected@QWidget@@MBEPAVQPaintDevice@@PAVQPoint@@@Z, ?paintEvent@QWidget@@MAEXPAVQPaintEvent@@@Z, ?paintEngine@QWidget@@UBEPAVQPaintEngine@@XZ, ?nativeEvent@QWidget@@MAE_NABVQByteArray@@PAXPAJ@Z, ?moveEvent@QWidget@@MAEXPAVQMoveEvent@@@Z, ?mouseReleaseEvent@QWidget@@MAEXPAVQMouseEvent@@@Z, ?mousePressEvent@QWidget@@MAEXPAVQMouseEvent@@@Z, ?mouseMoveEvent@QWidget@@MAEXPAVQMouseEvent@@@Z, ?mouseDoubleClickEvent@QWidget@@MAEXPAVQMouseEvent@@@Z, ?minimumSizeHint@QWidget@@UBE?AVQSize@@XZ, ?metric@QWidget@@MBEHW4PaintDeviceMetric@QPaintDevice@@@Z, ?leaveEvent@QWidget@@MAEXPAVQEvent@@@Z, ?keyReleaseEvent@QWidget@@MAEXPAVQKeyEvent@@@Z, ?keyPressEvent@QWidget@@MAEXPAVQKeyEvent@@@Z, ??0QApplication@@QAE@AAHPAPADH@Z, ?inputMethodQuery@QWidget@@UBE?AVQVariant@@W4InputMethodQuery@Qt@@@Z, ?inputMethodEvent@QWidget@@MAEXPAVQInputMethodEvent@@@Z, ?initPainter@QWidget@@MBEXPAVQPainter@@@Z, ?hideEvent@QWidget@@MAEXPAVQHideEvent@@@Z, ?heightForWidth@QWidget@@UBEHH@Z, ?hasHeightForWidth@QWidget@@UBE_NXZ, ?focusOutEvent@QWidget@@MAEXPAVQFocusEvent@@@Z, ?focusNextPrevChild@QWidget@@MAE_N_N@Z, ?focusInEvent@QWidget@@MAEXPAVQFocusEvent@@@Z, ?event@QMainWindow@@MAE_NPAVQEvent@@@Z, ?wheelEvent@QWidget@@MAEXPAVQWheelEvent@@@Z, ?enterEvent@QWidget@@MAEXPAVQEvent@@@Z, ?dropEvent@QWidget@@MAEXPAVQDropEvent@@@Z, ?dragMoveEvent@QWidget@@MAEXPAVQDragMoveEvent@@@Z, ?dragLeaveEvent@QWidget@@MAEXPAVQDragLeaveEvent@@@Z, ?dragEnterEvent@QWidget@@MAEXPAVQDragEnterEvent@@@Z, ?devType@QWidget@@UBEHXZ, ?createPopupMenu@QMainWindow@@UAEPAVQMenu@@XZ, ?contextMenuEvent@QMainWindow@@MAEXPAVQContextMenuEvent@@@Z, ?closeEvent@QWidget@@MAEXPAVQCloseEvent@@@Z, ?changeEvent@QWidget@@MAEXPAVQEvent@@@Z, ?actionEvent@QWidget@@MAEXPAVQActionEvent@@@Z, ??1QMainWindow@@UAE@XZ, ??0QMainWindow@@QAE@PAVQWidget@@V?$QFlags@W4WindowType@Qt@@@@@Z, ?exec@QApplication@@SAHXZ, ??1QApplication@@UAE@XZ, ?qt_metacall@QMainWindow@@UAEHW4Call@QMetaObject@@HPAPAX@Z |
Qt5Gui.dll | ?openUrl@QDesktopServices@@SA_NABVQUrl@@@Z |
Qt5Core.dll | ?eventFilter@QObject@@UAE_NPAV1@PAVQEvent@@@Z, ?disconnectNotify@QObject@@MAEXABVQMetaMethod@@@Z, ?customEvent@QObject@@MAEXPAVQEvent@@@Z, ?connectNotify@QObject@@MAEXABVQMetaMethod@@@Z, ?timerEvent@QObject@@MAEXPAVQTimerEvent@@@Z, ?dynamicMetaObject@QObjectData@@QBEPAUQMetaObject@@XZ, ?absoluteFilePath@QDir@@QBE?AVQString@@ABV2@@Z, ??1QDir@@QAE@XZ, ??0QDir@@QAE@ABVQString@@@Z, ?remove@QFile@@QAE_NXZ, ??1QFile@@UAE@XZ, ??0QFile@@QAE@ABVQString@@@Z, ?close@QFileDevice@@UAEXXZ, ?applicationDirPath@QCoreApplication@@SA?AVQString@@XZ, ?arguments@QCoreApplication@@SA?AVQStringList@@XZ, ?readAll@QTextStream@@QAE?AVQString@@XZ, ??1QTextStream@@UAE@XZ, ??0QTextStream@@QAE@PAVQIODevice@@@Z, ??1QUrl@@QAE@XZ, ??0QUrl@@QAE@ABVQString@@W4ParsingMode@0@@Z, ?at@QListData@@QBEPAPAXH@Z, ?size@QListData@@QBEHXZ, ?dispose@QListData@@SAXPAUData@1@@Z, ?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z, ??4QString@@QAEAAV0@$$QAV0@@Z, ??4QString@@QAEAAV0@ABV0@@Z, ??1QString@@QAE@XZ, ?childEvent@QObject@@MAEXPAVQChildEvent@@@Z, ?open@QFile@@UAE_NV?$QFlags@W4OpenModeFlag@QIODevice@@@@@Z |
KERNEL32.dll | GetCommandLineW, LocalFree, WideCharToMultiByte, GetModuleHandleW, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter |
VCRUNTIME140.dll | _CxxThrowException, __std_exception_destroy, __std_exception_copy, _except_handler4_common, __CxxFrameHandler3, memset |
api-ms-win-crt-runtime-l1-1-0.dll | _seh_filter_exe, _exit, _register_onexit_function, _cexit, _crt_atexit, _controlfp_s, terminate, _initialize_onexit_table, exit, _set_app_type, _register_thread_local_exe_atexit_callback, _initterm_e, _initterm, _get_narrow_winmain_command_line, _initialize_narrow_environment, _configure_narrow_argv, _c_exit |
api-ms-win-crt-math-l1-1-0.dll | __setusermatherr |
api-ms-win-crt-stdio-l1-1-0.dll | __p__commode, _set_fmode |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
api-ms-win-crt-heap-l1-1-0.dll | _callnewh, malloc, free, _set_new_mode |
SHELL32.dll | CommandLineToArgvW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 20:45:42 |
Start date: | 25/04/2024 |
Path: | C:\Users\user\Desktop\openurl.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x770000 |
File size: | 28'496 bytes |
MD5 hash: | C907C48492D52F2DE4C9B9E22C256742 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Function 00771DCA Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00772150 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |