Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
console_zero.exe

Overview

General Information

Sample name:console_zero.exe
Analysis ID:1523780
MD5:d51c8934c1bb7984906741bfd1f5c060
SHA1:bef7c3d82fa55a59a64633321ba3302194e7090a
SHA256:ec3199374503cf2890616d2f77fd92e5e3a1d1025b5651fc0e288c38bee9ffd8

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w7x64
  • console_zero.exe (PID: 3464 cmdline: "C:\Users\user\Desktop\console_zero.exe" MD5: D51C8934C1BB7984906741BFD1F5C060)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: console_zero.exeAvira: detected
Source: console_zero.exeReversingLabs: Detection: 79%
Source: console_zero.exeVirustotal: Detection: 69%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.9% probability
Source: console_zero.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F284614 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_000000013F284614
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F270FF4 FindClose,FindFirstFileExW,GetLastError,0_2_000000013F270FF4
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F271068 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,0_2_000000013F271068
Source: console_zero.exeString found in binary or memory: http://worldtimeapi.org/api/timezone/Etc/UTC
Source: console_zero.exeString found in binary or memory: http://worldtimeapi.org/api/timezone/Etc/UTCapplication/octet-streamtext/plain;
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F288F540_2_000000013F288F54
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2597B00_2_000000013F2597B0
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2846140_2_000000013F284614
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F27C6440_2_000000013F27C644
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F251E400_2_000000013F251E40
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F28769C0_2_000000013F28769C
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F25AD500_2_000000013F25AD50
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F259D300_2_000000013F259D30
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2684400_2_000000013F268440
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2594800_2_000000013F259480
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2894AC0_2_000000013F2894AC
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F26EB000_2_000000013F26EB00
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2563000_2_000000013F256300
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2633700_2_000000013F263370
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F26A2600_2_000000013F26A260
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F261A300_2_000000013F261A30
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F255A700_2_000000013F255A70
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F279A780_2_000000013F279A78
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2831100_2_000000013F283110
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2861500_2_000000013F286150
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2589A00_2_000000013F2589A0
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F27B7E40_2_000000013F27B7E4
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2590400_2_000000013F259040
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F27A08C0_2_000000013F27A08C
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2710680_2_000000013F271068
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2610700_2_000000013F261070
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2568800_2_000000013F256880
Source: classification engineClassification label: mal60.winEXE@1/0@0/0
Source: console_zero.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\console_zero.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: console_zero.exeReversingLabs: Detection: 79%
Source: console_zero.exeVirustotal: Detection: 69%
Source: C:\Users\user\Desktop\console_zero.exeSection loaded: libcurl.dllJump to behavior
Source: console_zero.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: console_zero.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: console_zero.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: console_zero.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: console_zero.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: console_zero.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: console_zero.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: console_zero.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: console_zero.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: console_zero.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: console_zero.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: console_zero.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: console_zero.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: console_zero.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: console_zero.exeStatic PE information: section name: .fptable
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F25CB34 push rax; retf 0000h0_2_000000013F25CB41
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F284614 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_000000013F284614
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F270FF4 FindClose,FindFirstFileExW,GetLastError,0_2_000000013F270FF4
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F271068 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,0_2_000000013F271068
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F27957C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000000013F27957C
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F285880 GetProcessHeap,0_2_000000013F285880
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F2726B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_000000013F2726B0
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F27957C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000000013F27957C
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F272B44 SetUnhandledExceptionFilter,0_2_000000013F272B44
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F272964 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000000013F272964
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F28A540 cpuid 0_2_000000013F28A540
Source: C:\Users\user\Desktop\console_zero.exeCode function: EnumSystemLocalesW,0_2_000000013F287FA8
Source: C:\Users\user\Desktop\console_zero.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_000000013F2886A4
Source: C:\Users\user\Desktop\console_zero.exeCode function: GetLocaleInfoW,0_2_000000013F288560
Source: C:\Users\user\Desktop\console_zero.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_000000013F287C44
Source: C:\Users\user\Desktop\console_zero.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_000000013F2884AC
Source: C:\Users\user\Desktop\console_zero.exeCode function: GetLocaleInfoW,0_2_000000013F2804C0
Source: C:\Users\user\Desktop\console_zero.exeCode function: GetLocaleInfoW,0_2_000000013F288354
Source: C:\Users\user\Desktop\console_zero.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_000000013F270A5C
Source: C:\Users\user\Desktop\console_zero.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_000000013F288110
Source: C:\Users\user\Desktop\console_zero.exeCode function: EnumSystemLocalesW,0_2_000000013F28014C
Source: C:\Users\user\Desktop\console_zero.exeCode function: EnumSystemLocalesW,0_2_000000013F288078
Source: C:\Users\user\Desktop\console_zero.exeCode function: 0_2_000000013F272BB0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_000000013F272BB0
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information
LSASS Memory2
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS22
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.