Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rsatcustominstaller.exe

Overview

General Information

Sample name:rsatcustominstaller.exe
Analysis ID:1432355
MD5:6d4be5e22e929e1ccd92aee1c6ba0ab8
SHA1:ddfd50226023bcf38c5a4bd74ef16beff662351a
SHA256:17fa37d97e956f579ef9a6642976f32151c1b8c13ad01f1db27889b66f207a61
Infos:

Detection

Score:20
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Changes the view of files in windows explorer (hidden files and folders)

Classification

Process Tree

  • System is w10x64
  • rsatcustominstaller.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\rsatcustominstaller.exe" MD5: 6D4BE5E22E929E1CCD92AEE1C6BA0AB8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: rsatcustominstaller.exeStatic PE information: certificate valid
Source: rsatcustominstaller.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: rsatcustominstaller.pdbGCTL source: rsatcustominstaller.exe
Source: Binary string: rsatcustominstaller.pdb source: rsatcustominstaller.exe
Source: classification engineClassification label: sus20.evad.winEXE@1/0@0/0
Source: rsatcustominstaller.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\rsatcustominstaller.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: rsatcustominstaller.exeStatic PE information: certificate valid
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: rsatcustominstaller.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: rsatcustominstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rsatcustominstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rsatcustominstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rsatcustominstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rsatcustominstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rsatcustominstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: rsatcustominstaller.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: rsatcustominstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: rsatcustominstaller.pdbGCTL source: rsatcustominstaller.exe
Source: Binary string: rsatcustominstaller.pdb source: rsatcustominstaller.exe
Source: rsatcustominstaller.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rsatcustominstaller.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rsatcustominstaller.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rsatcustominstaller.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rsatcustominstaller.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\rsatcustominstaller.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Start_AdminToolsRootJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Hidden Files and Directories		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
rsatcustominstaller.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1432355
Start date and time:2024-04-26 22:44:38 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 38s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:rsatcustominstaller.exe
Detection:SUS
Classification:sus20.evad.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • VT rate limit hit for: rsatcustominstaller.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):5.9961066696571
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:rsatcustominstaller.exe
File size:36'792 bytes
MD5:6d4be5e22e929e1ccd92aee1c6ba0ab8
SHA1:ddfd50226023bcf38c5a4bd74ef16beff662351a
SHA256:17fa37d97e956f579ef9a6642976f32151c1b8c13ad01f1db27889b66f207a61
SHA512:590c5182a38846112d1e1d6024d18725a887685ecd5c88934c51802f2e99991e795887f8de64ac3ac12d84dd4ce8cb70885371e9b20a22c328f6007ca05137de
SSDEEP:768:ZaRfSB2f0vzkrZpnswudxabeG40FMDuO9zBC4:ZOO2f0vzk1pnswyobeD0Yzg4
TLSH:18F208829BFC40C1F57B7A758AB58A06AC35B9922B31C6CF4660C24E0D73BD0E934767
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)...)...)...D...*...D...:...D...-...D...$...)...g...D...(...D...(...D...(...Rich)...........................PE..d......e...

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x140002fd0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x6581189A [Tue Dec 19 04:14:18 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:82c261471f215933215f8d31570884e8

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 19/10/2023 21:51:12 16/10/2024 21:51:12
Subject Chain
  • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:2169E18183DAF704160A117E905BFDA4
Thumbprint SHA-1:CB9C4FBEA1D87D2D468AC5A9CAAB0163F6AD8401
Thumbprint SHA-256:C4405F06DFB035F3AD360D29D27D434E004E054B6FB18FA3A5566A9F9AFA8296
Serial:3300000557CF90DDC7D1C0888C000000000557

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F341153EBE0h
dec eax
add esp, 28h
jmp 00007F341153E643h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [000042B1h]
jne 00007F341153E832h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F341153E823h
ret
dec eax
ror ecx, 10h
jmp 00007F341153ECC7h
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
mov eax, dword ptr [00004894h]
dec eax
mov dword ptr [esp+38h], eax
dec eax
cmp eax, FFFFFFFFh
jne 00007F341153E831h
dec eax
mov eax, dword ptr [0000139Ah]
call dword ptr [00001444h]
jmp 00007F341153E87Fh
mov ecx, 00000008h
call 00007F341153EE05h
nop
dec eax
mov eax, dword ptr [00004868h]
dec eax
mov dword ptr [esp+38h], eax
dec eax
mov eax, dword ptr [00004854h]
dec eax
mov dword ptr [esp+40h], eax
dec esp
lea eax, dword ptr [esp+40h]
dec eax
lea edx, dword ptr [esp+38h]
dec eax
mov ecx, ebx
call 00007F341153EDF2h
dec eax
mov ebx, eax
dec eax
mov edx, dword ptr [esp+38h]
dec eax
mov dword ptr [00004836h], edx
dec eax
mov edx, dword ptr [esp+40h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x60940x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x90000x430.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x80000x384.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x6a000x25b8
IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xa0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x56300x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x41700xd0.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x42400x248.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2aaa0x2c0049db9f7f179e739f662d9db5dfdbdad9False0.5092329545454546data5.924278748793684IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x40000x28680x2a00bb7fcd133a1b690da030c7e3d16f8e77False0.3269159226190476data3.9295639856741444IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x70000x8d80x4006358727cf3df3708daa78afa8654316dFalse0.3173828125data3.5643490797201274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x80000x3840x40010006d17e6e722f09212eaa0887a2ca1False0.4990234375data3.7109235923530304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x90000x4300x6009adb46ace55fa3c1afcb1c54a772f3bcFalse0.3079427083333333data2.557258348290928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xa0000xa00x200720e459bac10eedc77a79669f00a8328False0.265625data1.9647097303611387IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x90600x3d0dataEnglishUnited States0.4405737704918033

Imports

DLLImport
ADVAPI32.dllQueryServiceStatusEx, OpenServiceW, RegSetValueExW, EnumDependentServicesW, ControlServiceExW, RegCreateKeyExW, OpenSCManagerW, CloseServiceHandle, RegCloseKey
KERNEL32.dllCreateDirectoryW, ExpandEnvironmentStringsW, Sleep, GetLastError, OutputDebugStringW, HeapSetInformation, GetLocalTime, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, GetModuleHandleW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetTickCount
USER32.dllSendNotifyMessageW
msvcrt.dllmalloc, ??0exception@@QEAA@AEBQEBDH@Z, ??0exception@@QEAA@AEBV0@@Z, ??1exception@@UEAA@XZ, ?what@exception@@UEBAPEBDXZ, _callnewh, _CxxThrowException, _XcptFilter, _amsg_exit, __wgetmainargs, __set_app_type, exit, _exit, _cexit, __setusermatherr, _initterm, vfwprintf, _fmode, _commode, _lock, _unlock, __dllonexit, _onexit, ??1type_info@@UEAA@XZ, ?terminate@@YAXXZ, __CxxFrameHandler3, ??3@YAXPEAX@Z, _wsplitpath_s, fclose, wcsstr, ??8type_info@@QEBAHAEBV0@@Z, _wfopen_s, _vsnwprintf, ??_V@YAXPEAX@Z, __C_specific_handler, _purecall, fwprintf, memset
ntdll.dllRtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:22:45:23
Start date:26/04/2024
Path:C:\Users\user\Desktop\rsatcustominstaller.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\rsatcustominstaller.exe"
Imagebase:0x7ff60c030000
File size:36'792 bytes
MD5 hash:6D4BE5E22E929E1CCD92AEE1C6BA0AB8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

No disassembly