Loading ...

Play interactive tourEdit tour

Analysis Report l93GktCkKF.000

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218158
Start date:26.03.2020
Start time:10:22:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 27s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:l93GktCkKF.000 (renamed file extension from 000 to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:UNKNOWN
Classification:unknown1.winEXE@0/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Unable to launch sample, stop analysis
Errors:
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseunknown

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample is corrupt or needs to be run on a newer Windows version



Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Signature Overview

Click to jump to signature section


System Summary:

barindex
PE file overlay foundShow sources
Source: l93GktCkKF.exeStatic PE information: Data appended to the last section found
Classification labelShow sources
Source: classification engineClassification label: unknown1.winEXE@0/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: l93GktCkKF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: l93GktCkKF.exeStatic PE information: real checksum: 0xf763b should be: 0xf913

Malware Configuration

No configs have been found

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
l93GktCkKF.exe6%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):5.308074479084569
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:l93GktCkKF.exe
File size:32768
MD5:c94147ae53000fb0579f47c5f17ebc5d
SHA1:b01c06cee3d5650db1de5a26c068af8302290d3a
SHA256:2b350f206ea609c25a7114a47a33cebb24fb5e9bea954f3d6addde32a0248f6e
SHA512:dbba262a037eba38e30efe327261c7df01d4be6ecf3445321b30127fad3d135383140f5e74ea3ffe5e064e8788ade26512caf73bed90a56c8a29f707364502ce
SSDEEP:384:Kl9tN1jaKdhR2P4+vx9ue0O0bfc8ZYiM2aTrqqxm0JhWNwCW1e:S3jaKd3a4+vxIOWfKBTrqH0ONwCWU
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........F.O.(.O.(.O.(...u.I.(...&.M.(. .".D.(. .,.M.(.y.,.M.(.O.)...(...,.J.(.y.#.K.(.....N.(.RichO.(.................PE..L......A...

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x40139d
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x41FAEF96 [Sat Jan 29 02:06:14 2005 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:fc54a509ed6572e43580bc58cdd11fad

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
    Subject Chain
      Version:
      Thumbprint MD5:
      Thumbprint SHA-1:
      Thumbprint SHA-256:
      Serial:

      Entrypoint Preview

      Instruction
      push ebp
      mov ebp, esp
      push FFFFFFFFh
      push 00402220h
      push 00401524h
      mov eax, dword ptr fs:[00000000h]
      push eax
      mov dword ptr fs:[00000000h], esp
      sub esp, 68h
      push ebx
      push esi
      push edi
      mov dword ptr [ebp-18h], esp
      xor ebx, ebx
      mov dword ptr [ebp-04h], ebx
      push 00000002h
      call dword ptr [004020FCh]
      pop ecx
      or dword ptr [00403114h], FFFFFFFFh
      or dword ptr [00403118h], FFFFFFFFh
      call dword ptr [004020F8h]
      mov ecx, dword ptr [00403108h]
      mov dword ptr [eax], ecx
      call dword ptr [004020D4h]
      mov ecx, dword ptr [00403104h]
      mov dword ptr [eax], ecx
      mov eax, dword ptr [00402114h]
      mov eax, dword ptr [eax]
      mov dword ptr [00403110h], eax
      call 00007FDF3CEDE19Ch
      cmp dword ptr [00403020h], ebx
      jne 00007FDF3CEDE08Eh
      push 00401520h
      call dword ptr [004020ECh]
      pop ecx
      call 00007FDF3CEDE16Eh
      push 00403014h
      push 00403010h
      call 00007FDF3CEDE159h
      mov eax, dword ptr [00403100h]
      mov dword ptr [ebp-6Ch], eax
      lea eax, dword ptr [ebp-6Ch]
      push eax
      push dword ptr [004030FCh]
      lea eax, dword ptr [ebp-64h]
      push eax
      lea eax, dword ptr [ebp-70h]
      push eax
      lea eax, dword ptr [ebp-60h]
      push eax
      call dword ptr [004020E4h]
      push 0040300Ch
      push 00403000h
      call 00007FDF3CEDE126h

      Rich Headers

      Programming Language:
      • [C++] VS98 (6.0) SP6 build 8804
      • [EXP] VC++ 6.0 SP5 build 8804
      • [LNK] VC++ 6.0 SP5 build 8804

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x22d00xa0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x20730.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0xe77c80x1870
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x140.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x5e20x1000False0.238525390625data2.68999127597IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0x20000x6ba0x1000False0.2080078125data2.51566489714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x30000x11c0x1000False0.0107421875data0.0224829665441IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .rsrc0x40000x207300x21000False0.947387695312data7.75968974545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_ICON0x42800x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 9476505
      RT_ICON0x45680xd33bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
      RT_ICON0x118a40x10828empty
      RT_ICON0x220cc0x25a8empty
      RT_STRING0x246740x68emptyEnglishUnited States
      RT_RCDATA0x246dc0x4empty
      RT_RCDATA0x246e00x4empty
      RT_RCDATA0x246e40x4empty
      RT_RCDATA0x246e80x4empty
      RT_RCDATA0x246ec0x4empty
      RT_GROUP_ICON0x246f00x3eempty

      Imports

      DLLImport
      cdlli30.dll_SqlRunStartup@12
      CSi30.dll?LocateRunFile@@YGJPAUHINSTANCE__@@PAD@Z
      MFC42.DLL
      MSVCRT.dll__p__commode, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _onexit, _exit, __p__fmode, __set_app_type, _except_handler3, __dllonexit, _controlfp, _splitpath, __CxxFrameHandler, _adjust_fdiv, _setmbcp
      KERNEL32.dllGetModuleFileNameA, GetModuleHandleA, GetStartupInfoA
      USER32.dllMessageBoxA, wsprintfA
      ole32.dllCoUninitialize, CoInitializeEx

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      System Behavior

      Disassembly

      Reset < >