Loading ...

Play interactive tourEdit tour

Analysis Report designdoll_Serial_gen.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:193303
Start date:03.12.2019
Start time:08:47:19
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 53s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:designdoll_Serial_gen.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean2.winEXE@1/0@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 100% (good quality ratio 75.3%)
  • Quality average: 48.5%
  • Quality standard deviation: 39.9%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 6
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe
  • Execution Graph export aborted for target designdoll_Serial_gen.exe, PID 5080 because there are no executed function

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold20 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsDLL Side-Loading1Credential DumpingSystem Time Discovery1Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationData Destruction
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information1Network SniffingApplication Window Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsData Encrypted for Impact
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolDisk Structure Wipe
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationDisk Content Wipe

Signature Overview

Click to jump to signature section


System Summary:

barindex
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\designdoll_Serial_gen.exeSection loaded: mfc100u.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean2.winEXE@1/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: designdoll_Serial_gen.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\designdoll_Serial_gen.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\designdoll_Serial_gen.exeFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
PE file contains a mix of data directories often seen in goodwareShow sources
Source: designdoll_Serial_gen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: designdoll_Serial_gen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: designdoll_Serial_gen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: designdoll_Serial_gen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: designdoll_Serial_gen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: designdoll_Serial_gen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: designdoll_Serial_gen.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: designdoll_Serial_gen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: K:\My Documents\Visual Studio 2010\Projects\sn_gen\Release\sn_gen.pdbP@ source: designdoll_Serial_gen.exe
Source: Binary string: K:\My Documents\Visual Studio 2010\Projects\sn_gen\Release\sn_gen.pdbP source: designdoll_Serial_gen.exe, 00000002.00000002.2185365789.0000000000DE3000.00000004.00020000.sdmp
Source: Binary string: K:\My Documents\Visual Studio 2010\Projects\sn_gen\Release\sn_gen.pdb source: designdoll_Serial_gen.exe
PE file contains a valid data directory to section mappingShow sources
Source: designdoll_Serial_gen.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: designdoll_Serial_gen.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: designdoll_Serial_gen.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: designdoll_Serial_gen.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: designdoll_Serial_gen.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\designdoll_Serial_gen.exeCode function: 2_2_00DE22E5 push ecx; ret 2_2_00DE22F8

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\designdoll_Serial_gen.exeCode function: 2_2_00DE16F0 IsIconic,#788,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#1212,#10081,2_2_00DE16F0

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\designdoll_Serial_gen.exeCode function: 2_2_00DE1EC0 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,2_2_00DE1EC0
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\designdoll_Serial_gen.exeCode function: 2_2_00DE1EC0 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,2_2_00DE1EC0

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\designdoll_Serial_gen.exeCode function: 2_2_00DE2349 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_00DE2349

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
designdoll_Serial_gen.exe0%VirustotalBrowse
designdoll_Serial_gen.exe0%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.