Loading ...

Play interactive tourEdit tour

Analysis Report sampleneww

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:173085
Start date:11.09.2019
Start time:20:29:50
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 45s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:sampleneww (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 73.3% (good quality ratio 69.6%)
  • Quality average: 79.5%
  • Quality standard deviation: 27.9%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold560 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsDeobfuscate/Decode Files or Information1Credential DumpingSystem Time Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDLL Side-Loading1Network SniffingSecurity Software Discovery4Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery13Logon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: sampleneww.exeJoe Sandbox ML: detected
Multi AV Scanner detection for submitted fileShow sources
Source: sampleneww.exeVirustotal: Detection: 57%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009D8820 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,0_2_009D8820

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E53C0 FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,0_2_009E53C0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009C2DF0 FindFirstFileA,GetLastError,WaitForSingleObject,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,FindNextFileA,GetLastError,FindClose,0_2_009C2DF0

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: sampleneww.exeString found in binary or memory: http://10.103.2.247/count02
Source: sampleneww.exeString found in binary or memory: http://10.103.2.247/count02Please

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3816:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E90720_2_009E9072
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009DA0900_2_009DA090
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CE8800_2_009CE880
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009D20800_2_009D2080
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009D88C00_2_009D88C0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009C58E00_2_009C58E0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009C69A00_2_009C69A0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CB9F00_2_009CB9F0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CA9100_2_009CA910
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E21500_2_009E2150
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009DB2800_2_009DB280
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009D1A800_2_009D1A80
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E02C80_2_009E02C8
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CD2E00_2_009CD2E0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E02300_2_009E0230
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009F426A0_2_009F426A
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CCA600_2_009CCA60
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009D8BD00_2_009D8BD0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009D13F00_2_009D13F0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009DCBF00_2_009DCBF0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009DDB500_2_009DDB50
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009F3CF80_2_009F3CF8
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CCC700_2_009CCC70
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009C44600_2_009C4460
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E9D9A0_2_009E9D9A
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CEDD00_2_009CEDD0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CBDE00_2_009CBDE0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CBD100_2_009CBD10
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009C56800_2_009C5680
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009EB6BD0_2_009EB6BD
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E0EE00_2_009E0EE0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009DDE100_2_009DDE10
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009F5E510_2_009F5E51
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009C67900_2_009C6790
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009F4F840_2_009F4F84
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009C9F800_2_009C9F80
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009C6FA00_2_009C6FA0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009F47DC0_2_009F47DC
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009D97C00_2_009D97C0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CCFF00_2_009CCFF0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009DFF300_2_009DFF30
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CB7600_2_009CB760
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009CF7600_2_009CF760
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: String function: 009C41B0 appears 72 times
Source: C:\Users\user\Desktop\sampleneww.exeCode function: String function: 009E93B0 appears 32 times
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\sampleneww.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal56.winEXE@2/0@0/0
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009C3EF0 _memset,_memset,GetDiskFreeSpaceExA,GetLastError,0_2_009C3EF0
PE file has an executable .text section and no other executable sectionShow sources
Source: sampleneww.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\sampleneww.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: sampleneww.exeVirustotal: Detection: 57%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\sampleneww.exe 'C:\Users\user\Desktop\sampleneww.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: sampleneww.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E93F5 push ecx; ret 0_2_009E9408

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E9072 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009E9072

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009D8890 rdtsc 0_2_009D8890
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\sampleneww.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-20936
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\sampleneww.exeAPI coverage: 6.9 %
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E53C0 FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,0_2_009E53C0
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009C2DF0 FindFirstFileA,GetLastError,WaitForSingleObject,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,FindNextFileA,GetLastError,FindClose,0_2_009C2DF0
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E43F0 InitializeCriticalSection,CreateEventA,GetLastError,GetSystemInfo,__beginthreadex,GetLastError,__beginthreadex,GetLastError,WaitForMultipleObjects,GetLastError,Sleep,CloseHandle,__wsystem,WaitForSingleObject,WaitForSingleObject,GetLastError,Sleep,WaitForSingleObject,CloseHandle,CloseHandle,DeleteCriticalSection,0_2_009E43F0
Program exit pointsShow sources
Source: C:\Users\user\Desktop\sampleneww.exeAPI call chain: ExitProcess graph end nodegraph_0-20938

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009D8890 rdtsc 0_2_009D8890
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E608B IsDebuggerPresent,0_2_009E608B
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009F1ECE EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_009F1ECE
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009EB267 GetProcessHeap,0_2_009EB267
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E9992 SetUnhandledExceptionFilter,0_2_009E9992
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E99C3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009E99C3

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E49D0 SetErrorMode,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,CreateEventA,GetLastError,SetEvent,Sleep,0_2_009E49D0

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E8D2B cpuid 0_2_009E8D2B
Contains functionality to create pipes for IPCShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009E4120 CreateNamedPipeA,GetLastError,ConnectNamedPipe,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_009E4120
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\sampleneww.exeCode function: 0_2_009ED85F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_009ED85F

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 173085 Sample: sampleneww Startdate: 11/09/2019 Architecture: WINDOWS Score: 56 10 Antivirus or Machine Learning detection for sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 6 sampleneww.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sampleneww.exe58%VirustotalBrowse
sampleneww.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://10.103.2.247/count020%VirustotalBrowse
http://10.103.2.247/count020%Avira URL Cloudsafe
http://10.103.2.247/count02Please0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.