Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Service.exe

Overview

General Information

Sample name:Service.exe
Analysis ID:1635452
MD5:c6063e70d5165d1186696d84a18576b2
SHA1:7bfa0e4e935cdf264c84c050c717c67257a0a99f
SHA256:31bbfded45a9815b54db6f95ea71498dc8c18eede71a3a6810bdf5b37ab5f56b
Tags:exeuser-aachum
Infos:

Detection

Score:56
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to determine the online IP of the system
Joe Sandbox ML detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found potential string decryption / allocating functions
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • Service.exe (PID: 7076 cmdline: "C:\Users\user\Desktop\Service.exe" MD5: C6063E70D5165D1186696D84A18576B2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Service.exeVirustotal: Detection: 25%Perma Link
Source: Service.exeReversingLabs: Detection: 31%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Source: Service.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \LoaderV2\ClientLoader\x64\Release\ClientLoader.pdb) source: Service.exe
Source: Binary string: \LoaderV2\ClientLoader\x64\Release\ClientLoader.pdb source: Service.exe
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620823160 FindFirstFileExW,0_2_00007FF620823160

Networking

barindex
Contains functionality to determine the online IP of the system
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208020B0 InternetOpenA,GetLastError,InternetOpenUrlA,GetLastError,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn, http://api.ipify.org0_2_00007FF6208020B0
Source: global trafficTCP traffic: 192.168.2.7:49681 -> 89.208.104.175:5000
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownTCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknownTCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknownTCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknownTCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknownTCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknownTCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620802820 CreateProcessA,GetLastError,WaitForSingleObject,GetExitCodeProcess,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,recv,SHGetFolderPathA,send,CreateDirectoryA,GetLastError,send,ShellExecuteA,send,send,send,send,recv,WSAGetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF620802820
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: IPRetrieverHost: api.ipify.orgCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: Service.exeString found in binary or memory: http://api.ipify.org
Source: Service.exe, 00000000.00000002.2104089865.00000297D3C11000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000000.00000002.2104089865.00000297D3C29000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000000.00000002.2104089865.00000297D3C3B000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000000.00000002.2104089865.00000297D3BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
Source: Service.exe, 00000000.00000002.2104089865.00000297D3C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/6f
Source: Service.exe, 00000000.00000002.2104089865.00000297D3C29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/Fv
Source: Service.exe, 00000000.00000002.2104089865.00000297D3C29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/HF
Source: Service.exe, 00000000.00000002.2104089865.00000297D3C29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/pF
Source: Service.exe, 00000000.00000002.2104089865.00000297D3C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org8f
Source: Service.exeString found in binary or memory: http://api.ipify.orgInternetOpenUrl
Source: Service.exe, 00000000.00000002.2103680091.000000A37BD49000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://api.pifk
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208028200_2_00007FF620802820
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208038F00_2_00007FF6208038F0
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208020B00_2_00007FF6208020B0
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62081A1C80_2_00007FF62081A1C8
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208231600_2_00007FF620823160
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620813AD40_2_00007FF620813AD4
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62081FAB00_2_00007FF62081FAB0
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208264040_2_00007FF620826404
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208023900_2_00007FF620802390
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620812B7C0_2_00007FF620812B7C
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62081DBAC0_2_00007FF62081DBAC
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208135C80_2_00007FF6208135C8
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620827DE80_2_00007FF620827DE8
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620816DE00_2_00007FF620816DE0
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620829D680_2_00007FF620829D68
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62081655C0_2_00007FF62081655C
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620812D800_2_00007FF620812D80
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208296CC0_2_00007FF6208296CC
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62081E6C00_2_00007FF62081E6C0
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620824EF40_2_00007FF620824EF4
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620805E400_2_00007FF620805E40
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620818E800_2_00007FF620818E80
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208220040_2_00007FF620822004
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620815F900_2_00007FF620815F90
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620812F840_2_00007FF620812F84
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62081E0400_2_00007FF62081E040
Source: C:\Users\user\Desktop\Service.exeCode function: String function: 00007FF620808400 appears 31 times
Source: classification engineClassification label: mal56.winEXE@1/1@1/2
Source: C:\Users\user\Desktop\Service.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\H2M3G1OR.txtJump to behavior
Source: Service.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Service.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Service.exeVirustotal: Detection: 25%
Source: Service.exeReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\Service.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Service.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: Service.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Service.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \LoaderV2\ClientLoader\x64\Release\ClientLoader.pdb) source: Service.exe
Source: Binary string: \LoaderV2\ClientLoader\x64\Release\ClientLoader.pdb source: Service.exe
Source: Service.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Service.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Service.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Service.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Service.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\Service.exe TID: 7080Thread sleep time: -90000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Service.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620823160 FindFirstFileExW,0_2_00007FF620823160
Source: Service.exe, 00000000.00000002.2104089865.00000297D3C3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWq2/
Source: Service.exe, 00000000.00000002.2104089865.00000297D3C3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Service.exe, 00000000.00000002.2104089865.00000297D3BBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW d
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620815AA8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF620815AA8
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF6208276F4 GetProcessHeap,0_2_00007FF6208276F4
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF620815AA8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF620815AA8
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62080CAAC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF62080CAAC
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62080CC50 SetUnhandledExceptionFilter,0_2_00007FF62080CC50
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62080C028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF62080C028
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62082CBC0 cpuid 0_2_00007FF62082CBC0
Source: C:\Users\user\Desktop\Service.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF6208271F8
Source: C:\Users\user\Desktop\Service.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF620826994
Source: C:\Users\user\Desktop\Service.exeCode function: GetLocaleInfoW,0_2_00007FF6208272A8
Source: C:\Users\user\Desktop\Service.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF6208273DC
Source: C:\Users\user\Desktop\Service.exeCode function: GetLocaleInfoW,0_2_00007FF62081D3E4
Source: C:\Users\user\Desktop\Service.exeCode function: EnumSystemLocalesW,0_2_00007FF620826CF0
Source: C:\Users\user\Desktop\Service.exeCode function: EnumSystemLocalesW,0_2_00007FF620826DC0
Source: C:\Users\user\Desktop\Service.exeCode function: EnumSystemLocalesW,0_2_00007FF62081CF0C
Source: C:\Users\user\Desktop\Service.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF620826E58
Source: C:\Users\user\Desktop\Service.exeCode function: GetLocaleInfoW,0_2_00007FF6208270A0
Source: C:\Users\user\Desktop\Service.exeCode function: 0_2_00007FF62080C9A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF62080C9A0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
System Network Connections Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
System Network Configuration Discovery		SSHKeylogging2
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync22
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Service.exe26%VirustotalBrowse
Service.exe32%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://api.ipify.orgInternetOpenUrl0%Avira URL Cloudsafe
http://api.ipify.org8f0%Avira URL Cloudsafe
http://api.pifk0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.ipify.org
172.67.74.152
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://api.ipify.org/false
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://api.ipify.org/pFService.exe, 00000000.00000002.2104089865.00000297D3C29000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://api.ipify.org8fService.exe, 00000000.00000002.2104089865.00000297D3C11000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://api.ipify.orgInternetOpenUrlService.exefalse
        • Avira URL Cloud: safe
        		unknown
        http://api.ipify.org/HFService.exe, 00000000.00000002.2104089865.00000297D3C29000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://api.ipify.org/6fService.exe, 00000000.00000002.2104089865.00000297D3C11000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://api.ipify.org/FvService.exe, 00000000.00000002.2104089865.00000297D3C29000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://api.ipify.orgService.exefalse
                		high
                http://api.pifkService.exe, 00000000.00000002.2103680091.000000A37BD49000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                89.208.104.175
                		unknownRussian Federation
                		42569PSKSET-ASRUfalse
                172.67.74.152
                		api.ipify.orgUnited States
                		13335CLOUDFLARENETUSfalse

                General Information

                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1635452
                Start date and time:2025-03-11 17:24:24 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 45s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Service.exe
                Detection:MAL
                Classification:mal56.winEXE@1/1@1/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 9
                • Number of non-executed functions: 80
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 23.60.203.209
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\H2M3G1OR.txt

                Download File
                Process:C:\Users\user\Desktop\Service.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):12
                Entropy (8bit):2.8553885422075336
                Encrypted:false
                SSDEEP:3:fuMEc:23c
                MD5:99C7886BEA2DE7A0101C2650904125B2
                SHA1:923B92CB8983479444E728E099B85F84A8DC1358
                SHA-256:FFF62C3400A9C4F4618583FD90966E4E5B1122239157CAA576BFD6A1FA71204D
                SHA-512:7FB99EB3F5DF99B330325BB84C3676ABFD4BA02A2F37C596FDBD717FEEEA84887522E4957D57FD2C77A6A73C56656D1B8A8D17BB28CE158CD474ECE6E71B5565
                Malicious:false
                Preview:8.46.123.189

                Static File Info

                General

                File type:PE32+ executable (GUI) x86-64, for MS Windows
                Entropy (8bit):6.297881307822204
                TrID:
                • Win64 Executable GUI (202006/5) 92.65%
                • Win64 Executable (generic) (12005/4) 5.51%
                • Generic Win/DOS Executable (2004/3) 0.92%
                • DOS Executable Generic (2002/1) 0.92%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:Service.exe
                File size:288'256 bytes
                MD5:c6063e70d5165d1186696d84a18576b2
                SHA1:7bfa0e4e935cdf264c84c050c717c67257a0a99f
                SHA256:31bbfded45a9815b54db6f95ea71498dc8c18eede71a3a6810bdf5b37ab5f56b
                SHA512:03e448e09092bd569c2ace54637d390d78af04a06e8e18d584885b8972289a95b0b637c05858d37bfc3fdbdaa23e21b18f8d06d72f60ae35ed39533b61f7715c
                SSDEEP:3072:bjTaw17mBiuYusL/ZWNLgAlkVQFFpeC/e6PTFsNpN8LCAlSFtkSmjJ53u8mWPowV:Sifus7QniVQFFAC/PFSAGf3mNJ/
                TLSH:28547E15F7A518F9ED67923CC8424902DA72BC5647A5E7CF03E00A9B2F276E09E3E711
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.....z...z...z.@.y...z.@....