Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report addceupr21_bubbles.exe

Overview

General Information

Sample Name:addceupr21_bubbles.exe
Analysis ID:321424
MD5:11c2b95348f338db6835c23e6be1c862
SHA1:3346e2fe2384afd22218c16c9028b56a2fed3d66
SHA256:a365df50290d34a97ad1c02a9c1d9d39a6365720f947703292a3a00a6575a61c

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Machine Learning detection for sample
PE file has a writeable .text section
Antivirus or Machine Learning detection for unpacked file
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Startup

  • System is w10x64
  • addceupr21_bubbles.exe (PID: 380 cmdline: 'C:\Users\user\Desktop\addceupr21_bubbles.exe' MD5: 11C2B95348F338DB6835C23E6BE1C862)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: addceupr21_bubbles.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: addceupr21_bubbles.exeVirustotal: Detection: 26%Perma Link
Machine Learning detection for sampleShow sources
Source: addceupr21_bubbles.exeJoe Sandbox ML: detected
Source: 0.2.addceupr21_bubbles.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.0.addceupr21_bubbles.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\addceupr21_bubbles.exeCode function: 4x nop then push ebp

System Summary:

barindex
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
PE file has a writeable .text sectionShow sources
Source: addceupr21_bubbles.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: addceupr21_bubbles.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: addceupr21_bubbles.exe, 00000000.00000002.212499955.000000000040A000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameBubbles.exe vs addceupr21_bubbles.exe
Source: addceupr21_bubbles.exe, 00000000.00000002.212681425.00000000021C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs addceupr21_bubbles.exe
Source: addceupr21_bubbles.exeBinary or memory string: OriginalFilenameBubbles.exe vs addceupr21_bubbles.exe
Source: addceupr21_bubbles.exeBinary or memory string: @*\AC:\Documents and Settings\Mkelly\My Documents\Bubbles\Bubbles.vbp
Source: addceupr21_bubbles.exe, 00000000.00000002.212496871.0000000000409000.00000004.00020000.sdmpBinary or memory string: f(4@*\AC:\Documents and Settings\Mkelly\My Documents\Bubbles\Bubbles.vbp
Source: classification engineClassification label: mal72.rans.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\addceupr21_bubbles.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\Desktop\addceupr21_bubbles.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: addceupr21_bubbles.exeVirustotal: Detection: 26%
Source: addceupr21_bubbles.exeStatic PE information: real checksum: 0x13422 should be: 0x1aed7
Source: C:\Users\user\Desktop\addceupr21_bubbles.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\addceupr21_bubbles.exeAPI coverage: 0.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionSoftware Packing1OS Credential DumpingSystem Information Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
addceupr21_bubbles.exe27%VirustotalBrowse
addceupr21_bubbles.exe100%AviraTR/Dropper.Gen
addceupr21_bubbles.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.addceupr21_bubbles.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
0.0.addceupr21_bubbles.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:321424
Start date:22.11.2020
Start time:01:56:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 40s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:addceupr21_bubbles.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:25
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.rans.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 65% (good quality ratio 20%)
  • Quality average: 31.1%
  • Quality standard deviation: 46%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):4.49233828273567
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.15%
  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:addceupr21_bubbles.exe
File size:53248
MD5:11c2b95348f338db6835c23e6be1c862
SHA1:3346e2fe2384afd22218c16c9028b56a2fed3d66
SHA256:a365df50290d34a97ad1c02a9c1d9d39a6365720f947703292a3a00a6575a61c
SHA512:3e38713f66ab5e6a8a20428978f8280250a1e782a8398a6081c93e2135d6527584c0fac8a42c3a3ea14c3631e67a891dbf5fc8f5b51e0d781138b4eda19e681e
SSDEEP:384:62sltQZAASik6ixk0sBZZ1XCvUARW6KMgH6/oPPD7tWBCVSVZb1HOqaVSM36:UltQZA96ck0sBx8RW6Kh3D7kBBpue
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................z...............T.......Rich............PE..L....g5<..................... ....................@................

File Icon

Icon Hash:20047c7c70f0e004

Static PE Info

General

Entrypoint:0x401318
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x3C3567D3 [Fri Jan 4 08:29:07 2002 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:9845ab130c6b0538839ca253be6d3d6e

Entrypoint Preview

Instruction
push 00401B0Ch
call 00007FF5B07B21C5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
push 38000000h
add byte ptr [eax], al
add bh, bh
rcl dword ptr [edx-6Ch], 1

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x7f340x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x8d4.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
IMAGE_DIRECTORY_ENTRY_IAT0x10000x114.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x80000x8000False0.298797607422data4.9798968159IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x90000x10000x1000False0.223876953125data2.36191635208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0xa0000x20ac0x3000False0.334309895833data4.39637685669IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0xa7a40x130data
RT_ICON0xa4bc0x2e8data
RT_ICON0xa3940x128GLS_BINARY_LSB_FIRST
RT_GROUP_ICON0xa3640x30data
RT_VERSION0xa1500x214dataEnglishUnited States

Imports

DLLImport
MSVBVM60.DLLEVENT_SINK_GetIDsOfNames, __vbaVarTstGt, __vbaStrI2, _CIcos, _adj_fptan, __vbaStrI4, __vbaFreeVar, __vbaLateIdCall, __vbaFreeVarList, _adj_fdiv_m64, EVENT_SINK_Invoke, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, Zombie_GetTypeInfo, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaForEachCollVar, _CIsin, __vbaVarZero, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, __vbaNextEachCollVar, __vbaVarLateMemSt, _adj_fpatan, Zombie_GetTypeInfoCount, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaLateIdStAd, __vbaFPException, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVerifyVarObj, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaForEachVar, _allmul, __vbaLateIdSt, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

DescriptionData
Translation0x0409 0x04b0
InternalNameBubbles
FileVersion1.00
CompanyNameCooperVision
ProductNameBubbles
ProductVersion1.00
OriginalFilenameBubbles.exe

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: addceupr21_bubbles.exe PID: 380 Parent PID: 5684

General

Start time:01:56:49
Start date:22/11/2020
Path:C:\Users\user\Desktop\addceupr21_bubbles.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\addceupr21_bubbles.exe'
Imagebase:0x400000
File size:53248 bytes
MD5 hash:11C2B95348F338DB6835C23E6BE1C862
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Visual Basic
Reputation:low

Disassembly

Code Analysis

Reset < >