Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
odbc.exe

Overview

General Information

Sample name:odbc.exe
Analysis ID:1455419
MD5:032d77e7fae7f2d6b8dd2b60c86bb038
SHA1:4b570bfa08b8ef9101b96a9bfe5e11989d5c5dad
SHA256:e37d2d66afb4f1f3090bab40b144aff9689c4df2e9240b6cf49d818b71620d4d
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

  • System is w10x64
  • odbc.exe (PID: 6216 cmdline: "C:\Users\user\Desktop\odbc.exe" MD5: 032D77E7FAE7F2D6B8DD2B60C86BB038)
    • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: odbc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: unknownDNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: odbc.exeStatic PE information: Number of sections : 13 > 10
Source: odbc.exeStatic PE information: Section: /19 ZLIB complexity 0.9997172419571045
Source: odbc.exeStatic PE information: Section: /32 ZLIB complexity 0.9977584941275168
Source: odbc.exeStatic PE information: Section: /65 ZLIB complexity 0.9986953062349639
Source: odbc.exeStatic PE information: Section: /78 ZLIB complexity 0.9919520317545748
Source: classification engineClassification label: clean2.winEXE@2/0@1/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_03
Source: C:\Users\user\Desktop\odbc.exeFile opened: C:\Windows\system32\0d425c5adc9676cb0d11b6de819e0ff5144220a0c10d8c10e88ef1acdd6e11a2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
Source: odbc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\odbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: odbc.exeString found in binary or memory: GOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYIP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCODEParseFloatPhoenicianProcessingRIPEMD-160RST_STREAMSHA256-RSASHA384-RSASHA512-RSASaurashtraSet-CookieUser-AgentWSACleanupWSASocketWWSAStartup[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]atomicand8audio/aiffaudio/midiaudio/mpegaudio/waveavx512bf16avx512gfniavx512ifmaavx512vaesavx512vbmiavx512vnnicomplex128debug calldnsapi.dllexitThreadexp masterfloat32nanfloat64nanfont/woff2getsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleinvalidptrkeep-alivelocal-addrmSpanInUsenotifyListowner diedres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquireset-cookiesetsockoptstackLarget.Kind == ticks.locktracefree(tracegc()
Source: unknownProcess created: C:\Users\user\Desktop\odbc.exe "C:\Users\user\Desktop\odbc.exe"
Source: C:\Users\user\Desktop\odbc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\odbc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\odbc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\odbc.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\odbc.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\odbc.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\odbc.exeSection loaded: mswsock.dllJump to behavior
Source: odbc.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: odbc.exeStatic file information: File size 6827520 > 1048576
Source: odbc.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x23a000
Source: odbc.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x215c00
Source: odbc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: odbc.exeStatic PE information: section name: /4
Source: odbc.exeStatic PE information: section name: /19
Source: odbc.exeStatic PE information: section name: /32
Source: odbc.exeStatic PE information: section name: /46
Source: odbc.exeStatic PE information: section name: /65
Source: odbc.exeStatic PE information: section name: /78
Source: odbc.exeStatic PE information: section name: /90
Source: odbc.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\odbc.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\odbc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: odbc.exe, 00000000.00000002.2911367867.000002111AD6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;;U
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Software Packing
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1455419 Sample: odbc.exe Startdate: 11/06/2024 Architecture: WINDOWS Score: 2 10 171.39.242.20.in-addr.arpa 2->10 6 odbc.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.