Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tOniaJ21lj.exe

Overview

General Information

Sample name:tOniaJ21lj.exe
renamed because original name is a hash value
Original sample name:fa367a7d44377d2c3f684c3912fec827.exe
Analysis ID:1455403
MD5:fa367a7d44377d2c3f684c3912fec827
SHA1:cb9e24a00431a7cccecf333b5d4ec34785389191
SHA256:7256e9f673b78c62aae25f78902c393d758262202e8ab4e4b4f1d5d01cd4cd12
Tags:exeSocks5Systemz
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • tOniaJ21lj.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\tOniaJ21lj.exe" MD5: FA367A7D44377D2C3F684C3912FEC827)
    • tOniaJ21lj.tmp (PID: 2836 cmdline: "C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe" MD5: 8EF7001015E126E74BC41268504CA1E2)
      • recordpadsoundrecorder32.exe (PID: 4368 cmdline: "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i MD5: 1F7ED6F21708581170C4BF77C64A9D32)
      • recordpadsoundrecorder32.exe (PID: 1412 cmdline: "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s MD5: 1F7ED6F21708581170C4BF77C64A9D32)
  • svchost.exe (PID: 5356 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
{"C2 list": ["aaxeeeo.ru"]}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-OIVVM.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000004.00000000.2036104577.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000003.00000000.2033651879.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000004.00000002.3269669582.000000000097E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: recordpadsoundrecorder32.exe PID: 1412JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  3.0.recordpadsoundrecorder32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    4.0.recordpadsoundrecorder32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5356, ProcessName: svchost.exe
                      Timestamp:06/11/24-19:43:31.633412
                      SID:2049467
                      Source Port:52643
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:42:57.171208
                      SID:2049467
                      Source Port:52623
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:26.414769
                      SID:2049467
                      Source Port:52640
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:49.420215
                      SID:2049467
                      Source Port:52655
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:40.013828
                      SID:2049467
                      Source Port:52649
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:07.601992
                      SID:2049467
                      Source Port:52629
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:53.737196
                      SID:2049467
                      Source Port:52658
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:01.749476
                      SID:2049467
                      Source Port:52626
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:10.177838
                      SID:2049467
                      Source Port:52631
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:16.249164
                      SID:2049467
                      Source Port:52635
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:44:00.280298
                      SID:2049467
                      Source Port:52663
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:06.376941
                      SID:2049467
                      Source Port:52628
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:00.233904
                      SID:2049467
                      Source Port:52625
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:27.013923
                      SID:2049467
                      Source Port:52641
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:52.482822
                      SID:2049467
                      Source Port:52657
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:11.744384
                      SID:2049467
                      Source Port:52632
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:15.633502
                      SID:2049467
                      Source Port:52634
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:36.034207
                      SID:2049467
                      Source Port:52646
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:45.320897
                      SID:2049467
                      Source Port:52652
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:57.593794
                      SID:2049467
                      Source Port:52661
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:18.748451
                      SID:2049467
                      Source Port:52637
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:08.901351
                      SID:2049467
                      Source Port:52630
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:13.030652
                      SID:2049467
                      Source Port:52633
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:58.873534
                      SID:2049467
                      Source Port:52662
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:42:55.670104
                      SID:2049467
                      Source Port:52621
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:17.515047
                      SID:2049467
                      Source Port:52636
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:34.748394
                      SID:2049467
                      Source Port:52645
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:38.697972
                      SID:2049467
                      Source Port:52648
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:41.371967
                      SID:2049467
                      Source Port:52650
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:47.586566
                      SID:2049467
                      Source Port:52653
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:23.899062
                      SID:2049467
                      Source Port:52639
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:48.123287
                      SID:2049467
                      Source Port:52654
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:34.149022
                      SID:2049467
                      Source Port:52644
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected