Loading ...

Play interactive tourEdit tour

Analysis Report addceupr21_bubbles.exe

Overview

General Information

Sample Name:addceupr21_bubbles.exe
Analysis ID:321424
MD5:11c2b95348f338db6835c23e6be1c862
SHA1:3346e2fe2384afd22218c16c9028b56a2fed3d66
SHA256:a365df50290d34a97ad1c02a9c1d9d39a6365720f947703292a3a00a6575a61c

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Machine Learning detection for sample
PE file has a writeable .text section
Antivirus or Machine Learning detection for unpacked file
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Startup

  • System is w10x64
  • addceupr21_bubbles.exe (PID: 380 cmdline: 'C:\Users\user\Desktop\addceupr21_bubbles.exe' MD5: 11C2B95348F338DB6835C23E6BE1C862)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: addceupr21_bubbles.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: addceupr21_bubbles.exeVirustotal: Detection: 26%Perma Link
Machine Learning detection for sampleShow sources
Source: addceupr21_bubbles.exeJoe Sandbox ML: detected
Source: 0.2.addceupr21_bubbles.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.0.addceupr21_bubbles.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\addceupr21_bubbles.exeCode function: 4x nop then push ebp0_2_00406170

System Summary:

barindex
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
PE file has a writeable .text sectionShow sources
Source: addceupr21_bubbles.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: addceupr21_bubbles.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: addceupr21_bubbles.exe, 00000000.00000002.212499955.000000000040A000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameBubbles.exe vs addceupr21_bubbles.exe
Source: addceupr21_bubbles.exe, 00000000.00000002.212681425.00000000021C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs addceupr21_bubbles.exe
Source: addceupr21_bubbles.exeBinary or memory string: OriginalFilenameBubbles.exe vs addceupr21_bubbles.exe
Source: addceupr21_bubbles.exeBinary or memory string: @*\AC:\Documents and Settings\Mkelly\My Documents\Bubbles\Bubbles.vbp
Source: addceupr21_bubbles.exe, 00000000.00000002.212496871.0000000000409000.00000004.00020000.sdmpBinary or memory string: f(4@*\AC:\Documents and Settings\Mkelly\My Documents\Bubbles\Bubbles.vbp
Source: classification engineClassification label: mal72.rans.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\addceupr21_bubbles.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\addceupr21_bubbles.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: addceupr21_bubbles.exeVirustotal: Detection: 26%
Source: addceupr21_bubbles.exeStatic PE information: real checksum: 0x13422 should be: 0x1aed7
Source: C:\Users\user\Desktop\addceupr21_bubbles.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\addceupr21_bubbles.exeAPI coverage: 0.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionSoftware Packing1OS Credential DumpingSystem Information Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.