Loading ...

Play interactive tourEdit tour

Analysis Report ENyCIz4IxY

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:210243
Start date:23.02.2020
Start time:00:38:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ENyCIz4IxY (renamed file extension from none to dll)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.winDLL@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.4% (good quality ratio 78.4%)
  • Quality average: 69.1%
  • Quality standard deviation: 40.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
Errors:
  • Sigma syntax error: One detector has no map or list, Rule: Discovery of a System Time
  • Sigma syntax error: One detector has no map or list, Rule: File or Folder Permissions Modifications

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API1Winlogon Helper DLLProcess Injection1Software Packing1Credential DumpingSystem Time Discovery1Remote File Copy1Data from Local SystemData CompressedRemote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureSecurity Software Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery12Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: ENyCIz4IxY.dllAvira: detection malicious, Label: HEUR/AGEN.1010977
Multi AV Scanner detection for domain / URLShow sources
Source: http://2.indexsinas.me:811/c64.exeVirustotal: Detection: 9%Perma Link
Source: http://2.indexsinas.me:811/86.exeVirustotal: Detection: 13%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: ENyCIz4IxY.dllVirustotal: Detection: 77%Perma Link
Source: ENyCIz4IxY.dllReversingLabs TitaniumCloud: Detection: 86%
Machine Learning detection for sampleShow sources
Source: ENyCIz4IxY.dllJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.loaddll32.exe.73ec0000.0.unpackAvira: Label: TR/Dropper.Gen

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73ED1C90 URLDownloadToFileA,Sleep,WinExec,0_2_73ED1C90
Urls found in memory or binary dataShow sources
Source: loaddll32.exe, ENyCIz4IxY.dllString found in binary or memory: http://2.indexsinas.me:811/86.exe
Source: loaddll32.exe, 00000000.00000002.2461509472.0000000073EDC000.00000002.00020000.sdmp, ENyCIz4IxY.dllString found in binary or memory: http://2.indexsinas.me:811/86.exec:
Source: loaddll32.exe, ENyCIz4IxY.dllString found in binary or memory: http://2.indexsinas.me:811/c64.exe
Source: loaddll32.exe, 00000000.00000002.2461509472.0000000073EDC000.00000002.00020000.sdmp, ENyCIz4IxY.dllString found in binary or memory: http://2.indexsinas.me:811/c64.exec:
Source: loaddll32.exe, 00000000.00000002.2457216331.00000000008FB000.00000004.00000001.sdmpString found in binary or memory: http://2.indexsinas.me:811/c64.exey
Source: loaddll32.exe, ENyCIz4IxY.dllString found in binary or memory: http://2.indexsinas.me:811/iexplore.exe
Source: loaddll32.exe, 00000000.00000002.2461509472.0000000073EDC000.00000002.00020000.sdmp, ENyCIz4IxY.dllString found in binary or memory: http://2.indexsinas.me:811/iexplore.exec:

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal68.winDLL@1/0@0/0
Reads software policiesShow sources
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: ENyCIz4IxY.dllVirustotal: Detection: 77%
Source: ENyCIz4IxY.dllReversingLabs TitaniumCloud: Detection: 86%
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: ENyCIz4IxY.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: ENyCIz4IxY.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: \1\Debug\1.pdb{ source: loaddll32.exe, 00000000.00000002.2461509472.0000000073EDC000.00000002.00020000.sdmp, ENyCIz4IxY.dll
Source: Binary string: \1\Debug\1.pdb source: loaddll32.exe, 00000000.00000002.2461509472.0000000073EDC000.00000002.00020000.sdmp, ENyCIz4IxY.dll

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73ED9F18 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_73ED9F18
PE file contains sections with non-standard namesShow sources
Source: ENyCIz4IxY.dllStatic PE information: section name: .textbss
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73ED4125 push ecx; ret 0_2_73ED4138

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73ED1078 IsDebuggerPresent,0_2_73ED1078
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73ED9F18 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_73ED9F18
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73ED130C GetProcessHeap,0_2_73ED130C
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73ED69DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_73ED69DB
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73ED7946 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_73ED7946
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73ED1172 SetUnhandledExceptionFilter,0_2_73ED1172

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: loaddll32.exe, 00000000.00000002.2457696698.00000000012E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.2457696698.00000000012E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.2457696698.00000000012E0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.2457696698.00000000012E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Windows\System32\loaddll32.exeCode function: GetLastError,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_73ED67A0
Source: C:\Windows\System32\loaddll32.exeCode function: __crtGetLocaleInfoA_stat,0_2_73ED9EBB
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,0_2_73ED9DAB
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_73ED115E
Contains functionality to query local / system timeShow sources
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73ED4565 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_73ED4565

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ENyCIz4IxY.dll78%VirustotalBrowse
ENyCIz4IxY.dll87%ReversingLabs TitaniumCloud FileReputationWin32.Trojan.Small
ENyCIz4IxY.dll100%AviraHEUR/AGEN.1010977
ENyCIz4IxY.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.loaddll32.exe.73ec0000.0.unpack100%AviraTR/Dropper.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://2.indexsinas.me:811/c64.exe10%VirustotalBrowse
http://2.indexsinas.me:811/c64.exe0%Avira URL Cloudsafe
http://2.indexsinas.me:811/86.exec:0%Avira URL Cloudsafe
http://2.indexsinas.me:811/c64.exey0%Avira URL Cloudsafe
http://2.indexsinas.me:811/c64.exec:0%Avira URL Cloudsafe
http://2.indexsinas.me:811/86.exe14%VirustotalBrowse
http://2.indexsinas.me:811/86.exe0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.