Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9MgoW3Y1ti.exe

Overview

General Information

Sample name:9MgoW3Y1ti.exe
renamed because original name is a hash value
Original sample name:b5782418b0d93145d5e7d5ff762c50e3.exe
Analysis ID:1455413
MD5:b5782418b0d93145d5e7d5ff762c50e3
SHA1:8ad9d47fcd5cc8668c316f2ed8b9ce0f44b9adfb
SHA256:2364f287be72dd7aa1f3cf19ff86314a02b62f4b19792e1e06abad3567d1900c
Tags:exeSocks5Systemz
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • 9MgoW3Y1ti.exe (PID: 6528 cmdline: "C:\Users\user\Desktop\9MgoW3Y1ti.exe" MD5: B5782418B0D93145D5E7D5FF762C50E3)
    • 9MgoW3Y1ti.tmp (PID: 5232 cmdline: "C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp" /SL5="$203EC,4916934,54272,C:\Users\user\Desktop\9MgoW3Y1ti.exe" MD5: 8EF7001015E126E74BC41268504CA1E2)
      • recordpadsoundrecorder32.exe (PID: 6724 cmdline: "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i MD5: 05231A29BF2470E3D5FEA74C5FD84462)
      • recordpadsoundrecorder32.exe (PID: 5068 cmdline: "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s MD5: 05231A29BF2470E3D5FEA74C5FD84462)
  • svchost.exe (PID: 5388 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
{"C2 list": ["aadolui.ru"]}
SourceRuleDescriptionAuthorStrings
C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-377H9.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000003.00000000.2196454307.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000004.00000000.2199461093.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
              00000004.00000002.3438919346.00000000008B9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: recordpadsoundrecorder32.exe PID: 5068JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  4.0.recordpadsoundrecorder32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    3.0.recordpadsoundrecorder32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5388, ProcessName: svchost.exe
                      Timestamp:06/11/24-20:04:05.022218
                      SID:2049467
                      Source Port:49759
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:04:00.660933
                      SID:2049467
                      Source Port:49756
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:20.999590
                      SID:2049467
                      Source Port:49733
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:50.457825
                      SID:2049467
                      Source Port:49750
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:33.060284
                      SID:2049467
                      Source Port:49739
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:45.145687
                      SID:2049467
                      Source Port:49747
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:42.718124
                      SID:2049467
                      Source Port:49744
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:15.218492
                      SID:2049467
                      Source Port:49730
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:55.568367
                      SID:2049467
                      Source Port:49753
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:06.281713
                      SID:2049467
                      Source Port:49721
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:04:09.182356
                      SID:2049467
                      Source Port:49762
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:53.390046
                      SID:2049467
                      Source Port:49751
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:58.405789
                      SID:2049467
                      Source Port:49754
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:04:02.172905
                      SID:2049467
                      Source Port:49757
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:48.061954
                      SID:2049467
                      Source Port:49748
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:04:06.419496
                      SID:2049467
                      Source Port:49760
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:37.431894
                      SID:2049467
                      Source Port:49742
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:28.375163
                      SID:2049467
                      Source Port:49736
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:34.520546
                      SID:2049467
                      Source Port:49740
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:38.944323
                      SID:2049467
                      Source Port:49743
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:43.506708
                      SID:2049467
                      Source Port:49746
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:29.131237
                      SID:2049467
                      Source Port:49737
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:00.558791
                      SID:2049467
                      Source Port:49720
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:04:10.647905
                      SID:2049467
                      Source Port:49763
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:17.343055
                      SID:2049467
                      Source Port:49731
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:54.130080
                      SID:2049467
                      Source Port:49752
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:12.287039
                      SID:2049467
                      Source Port:49729
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:10.015867
                      SID:2049467
                      Source Port:49725
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:23.984682
                      SID:2049467
                      Source Port:49734
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:32.171182
                      SID:2049467
                      Source Port:49738
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:04:07.773090
                      SID:2049467
                      Source Port:49761
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:26.218000
                      SID:2049467
                      Source Port:49735
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:07.068331
                      SID:2049467
                      Source Port:49723
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-20:03:10.793000
                      SID:2049467
                      Sourc