Loading ...

Play interactive tourEdit tour

Analysis Report Loader_v2_11cr122.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:220800
Start date:07.04.2020
Start time:13:49:24
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Loader_v2_11cr122.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.evad.winEXE@1/1@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 57.2% (good quality ratio 30.5%)
  • Quality average: 24.8%
  • Quality standard deviation: 26.9%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 4
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, MusNotifyIcon.exe, conhost.exe, svchost.exe, UsoClient.exe
  • Execution Graph export aborted for target Loader_v2_11cr122.exe, PID 4492 because it is empty
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface2Winlogon Helper DLLProcess Injection1Masquerading11Credential DumpingVirtualization/Sandbox Evasion11Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing11Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion11Input CaptureSecurity Software Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingTimestomp1Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection1Account ManipulationSystem Information Discovery12Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Loader_v2_11cr122.exeVirustotal: Detection: 22%Perma Link

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: Loader_v2_11cr122.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: Loader_v2_11cr122.exeStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
PE file contains strange resourcesShow sources
Source: Loader_v2_11cr122.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functionsShow sources
Source: 9A26.tmp.0.drStatic PE information: No import functions for PE file found
Sample file is different than original file name gathered from version infoShow sources
Source: Loader_v2_11cr122.exe, 00000000.00000002.2237905952.000000006EE7F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Loader_v2_11cr122.exe
Source: Loader_v2_11cr122.exe, 00000000.00000002.2235440842.00000000001D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameOLEACCRC.DLLj% vs Loader_v2_11cr122.exe
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: 9A26.tmp.0.drBinary string: \Device\IPT
Classification labelShow sources
Source: classification engineClassification label: mal68.evad.winEXE@1/1@0/0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeFile created: C:\Users\user\Desktop\@ IJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeFile created: C:\Users\user\AppData\Local\Temp\pageJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Loader_v2_11cr122.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Loader_v2_11cr122.exeVirustotal: Detection: 22%
Sample might require command line argumentsShow sources
Source: Loader_v2_11cr122.exeString found in binary or memory: AddDllDirectory\/LoadLibraryExAkernel32if_nametoindexiphlpapi.dll<no protocol>
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Loader_v2_11cr122.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Loader_v2_11cr122.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Loader_v2_11cr122.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Loader_v2_11cr122.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Loader_v2_11cr122.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Loader_v2_11cr122.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: Loader_v2_11cr122.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: wntdll.pdbUGP source: Loader_v2_11cr122.exe, 00000000.00000002.2237529169.000000006ED61000.00000020.00020000.sdmp, 9A26.tmp.0.dr
Source: Binary string: wntdll.pdb source: Loader_v2_11cr122.exe, 00000000.00000002.2237529169.000000006ED61000.00000020.00020000.sdmp, 9A26.tmp.0.dr
PE file contains a valid data directory to section mappingShow sources
Source: Loader_v2_11cr122.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Loader_v2_11cr122.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Loader_v2_11cr122.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Loader_v2_11cr122.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Loader_v2_11cr122.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeUnpacked PE file: 0.2.Loader_v2_11cr122.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.text:W;.rsrc:R;.reloc:R; vs .text:EW;
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0x845DE87A [Wed May 16 02:07:54 2040 UTC]
PE file contains sections with non-standard namesShow sources
Source: 9A26.tmp.0.drStatic PE information: section name: RT
Source: 9A26.tmp.0.drStatic PE information: section name: .mrdata
Source: 9A26.tmp.0.drStatic PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_0040507B push 0000007Bh; iretd 0_2_00405085
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_004040D0 push eax; retf 0_2_004040D1
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_00402975 push eax; ret 0_2_00402A1E
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_004029C6 push eax; ret 0_2_00402A1E
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_004011C7 push esp; ret 0_2_004011FC
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_004029D4 push eax; ret 0_2_00402A1E
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_004029DB push eax; ret 0_2_00402A1E
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_00402984 push eax; ret 0_2_00402A1E
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_004029A2 push eax; ret 0_2_00402A1E
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_004029A9 push eax; ret 0_2_00402A1E
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_0040124C push esp; ret 0_2_004011FC
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_00402A04 push eax; ret 0_2_00402A1E
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_00402A0E push eax; ret 0_2_00402A1E
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_00403E3F push ebx; retf 0_2_00403E43
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_00405E8C push ss; iretd 0_2_00405E8D
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_00407318 push edi; iretd 0_2_00407321
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeCode function: 0_2_004063F2 push 40F5F71Bh; iretd 0_2_0040640B
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 6.85194020686

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeFile created: C:\Users\user\AppData\Local\Temp\9A26.tmpJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Query firmware table information (likely to detect VMs)Show sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeSystem information queried: FirmwareTableInformationJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeFile opened: PhysicalDrive0Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Loader_v2_11cr122.exe, 00000000.00000002.2236339299.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Loader_v2_11cr122.exe, 00000000.00000002.2236339299.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Loader_v2_11cr122.exe, 00000000.00000002.2236339299.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: Loader_v2_11cr122.exe, 00000000.00000002.2236339299.0000000000E40000.00000002.00000001.sdmpBinary or memory string: =Program Managerb

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\Loader_v2_11cr122.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Loader_v2_11cr122.exe22%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\9A26.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\9A26.tmp0%MetadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.Loader_v2_11cr122.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Local\Temp\9A26.tmpPO_229933.xls.exeGet hashmaliciousBrowse
    https://galuhtea.com/ez2/download.php?attach=PO_229933Get hashmaliciousBrowse
      03.2020a..jsGet hashmaliciousBrowse
        02.2020a..jsGet hashmaliciousBrowse
          438279ghh[1].exeGet hashmaliciousBrowse
            aG#U00d1s.jsGet hashmaliciousBrowse
              http://troubleshootingasaservice.com/paymentNotification.jarGet hashmaliciousBrowse
                ioclase.exeGet hashmaliciousBrowse
                  435#U0445.jsGet hashmaliciousBrowse
                    456#U0441.jsGet hashmaliciousBrowse
                      456#U0441.jsGet hashmaliciousBrowse
                        appsetup.exeGet hashmaliciousBrowse
                          a#U00e1sp#U00a1#U00ab#U00ac #U00ba#U00e1 #U00bd#U00bf#U00dfG#U00ab#U00bb#U00e1#U00f1.exeGet hashmaliciousBrowse
                            30#U0434.exeGet hashmaliciousBrowse
                              a#U00e1sp#U00a1#U00ab#U00ac #U00ba#U00e1 #U00bd#U00bf#U00dfG#U00ab#U00bb#U00e1#U00f1.exeGet hashmaliciousBrowse
                                #U00c9#U00e1sp#U00a1#U00ab#U00ac #U00f1#U00ab #U00ab#U00bb#U00bd#U00e1G#U00bf.jsGet hashmaliciousBrowse
                                  #U00c9#U00e1sp#U00a1#U00ab#U00ac #U00f1#U00ab #U00ab#U00bb#U00bd#U00e1G#U00bf.jsGet hashmaliciousBrowse
                                    SETUP.EXEGet hashmaliciousBrowse
                                      EQLDriver.dllGet hashmaliciousBrowse
                                        AvrProg.exeGet hashmaliciousBrowse

                                          Screenshots

                                          Thumbnails

                                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.