Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report CUSTOM SHIPING DOCS.exe

Overview

General Information

Sample Name:CUSTOM SHIPING DOCS.exe
Analysis ID:326327
MD5:5533ec4c49c29a1225d1b01d38933bd4
SHA1:f3aa3401d15d44d65177ba02244c189ee1e822fb
SHA256:ed8bdc7dfb03c556a144b552517f725297acac5c046313b9f8a96432d94cdf5c
Tags:exe

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Machine Learning detection for sample
PE file has a writeable .text section
Checks if the current process is being debugged
Enables debug privileges
One or more processes crash
PE file contains strange resources
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Stores large binary data to the registry
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • CUSTOM SHIPING DOCS.exe (PID: 4856 cmdline: 'C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe' MD5: 5533EC4C49C29A1225D1B01D38933BD4)
    • WerFault.exe (PID: 6088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 216 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: CUSTOM SHIPING DOCS.exeJoe Sandbox ML: detected

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: CUSTOM SHIPING DOCS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 216
Source: CUSTOM SHIPING DOCS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CUSTOM SHIPING DOCS.exeStatic PE information: No import functions for PE file found
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: classification engineClassification label: mal48.winEXE@2/4@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4856
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0BF.tmpJump to behavior
Source: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe 'C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 216
Source: CUSTOM SHIPING DOCS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: CUSTOM SHIPING DOCS.exeStatic file information: File size 1651712 > 1048576
Source: CUSTOM SHIPING DOCS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13fa00
Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Modify Registry1OS Credential DumpingSecurity Software Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CUSTOM SHIPING DOCS.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:326327
Start date:03.12.2020
Start time:09:59:38
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 2s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:CUSTOM SHIPING DOCS.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winEXE@2/4@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Sleeps bigger than 120000ms are automatically reduced to 1000ms
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 13.64.90.137
  • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_CUSTOM SHIPING D_ab7019a57941d055ca75d96ef7ee3b39da4f9ae0_41b924a0_1781b95a\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):7902
Entropy (8bit):3.788331113066621
Encrypted:false
SSDEEP:192:d7C4jYzDVKGAbHBUZMXRsVjh/u7saS274ItMxL+U:BjcZSBUZMX4jh/u7saX4Itk+U
MD5:C2BB5C169FE09D872650E12637929F14
SHA1:4A3AAE485028B8626D3BA76D11584353787C0230
SHA-256:355BA59F9FA3F5420BA2662B3CE2CCACD7CB4C52D44E701913631C320341FE68
SHA-512:CAA5548F07FB1710EBCBE16C0F73B4217B573312BC2B5870EA8616F250EAA5F50FB55CD10FD8B43E43A1BC88580C2AFD6048068AF99DB3AF57E7325495326F79
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.1.4.9.2.0.3.3.9.4.8.3.2.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.1.4.9.2.0.3.4.6.0.4.5.6.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.4.5.3.d.6.8.-.5.a.2.4.-.4.e.4.d.-.9.e.f.3.-.d.7.5.8.4.6.f.8.b.c.5.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.8.4.7.4.5.0.-.9.8.c.b.-.4.f.6.b.-.a.d.8.0.-.0.5.e.1.b.c.9.5.8.f.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.U.S.T.O.M. .S.H.I.P.I.N.G. .D.O.C.S...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.f.8.-.0.0.0.1.-.0.0.1.7.-.c.3.f.1.-.0.4.3.1.9.e.c.9.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.4.3.2.4.a.e.7.c.4.7.7.6.a.8.e.7.9.6.c.3.8.d.a.6.3.f.4.0.4.c.5.0.0.0.0.f.f.f.f.!.0.0.0.0.f.3.a.a.3.4.0.1.d.1.5.d.4.4.d.6.5.1.7.7.b.a.0.2.2.4.4.c.1.8.9.e.e.1.e.8.2.2.f.b.!.C.U.S.T.O.M. .S.H.I.P.I.N.
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0BF.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Dec 3 18:00:34 2020, 0x1205a4 type
Category:dropped
Size (bytes):18274
Entropy (8bit):2.1773832169366063
Encrypted:false
SSDEEP:96:53m8Q/UqA1hC06u2i1GE8MOXfn57NQXi7oV+V+A5WInWIX4I49pQLyA:wBA1hC06ri2JNQXGoQO9pQLyA
MD5:10465FC9B9CBB7D1B7E4261DDC1BE3AC
SHA1:4CFABC8E3BBD7E82FC24366825EA35BE11BCCE76
SHA-256:91FA41BD434980B288BB645247AC42E80668C865FDCB314DDEA87478CA04D73C
SHA-512:BCD01AABADADA81FD4DFBDED4631741F1BB8EEEE30CAD76ECDA05285F6E605D569931E17589299AC3CF66AC21A01DC807E558596B04F8DE0D57344549D23DB9E
Malicious:false
Reputation:low
Preview: MDMP....... ........'._...................U...........B..............GenuineIntelW...........T............'._.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1E8.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8340
Entropy (8bit):3.7075069242912075
Encrypted:false
SSDEEP:192:Rrl7r3GLNiLoo6z6YSbSU68ngmfHMISDCprT89b86sfFUm:RrlsNij6z6YeSU68ngmfLSH8Zfz
MD5:5849A53615CAF332AF88F15726371BA0
SHA1:A328C8DB9A6101DBFA9352FC4BAB22BA44331FA4
SHA-256:77CB4C428356ED2B92A41FD9F93594BFBFA6181989B58BA52A230E5CFCED6FA8
SHA-512:A988F241F981CA7237287B1F92CF46DCCD2FAC8226B9AAE891CDBED2B0C27F262B31C574FF9A648A25651C841FA9D215511C81C556D3DB5DF9F6248252FF5094
Malicious:false
Reputation:low
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.5.6.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB286.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4630
Entropy (8bit):4.535803206542934
Encrypted:false
SSDEEP:48:cvIwSD8zsRJgtWI9xVWSC8Bng8fm8M4Jgkqk5/kkFx+q8rkDk4wuoYNktvkktVd:uITfj6kSNLJg5IRwG4uHSvkSVd
MD5:96C86DEC4B5F6644D71A3174CAD6F084
SHA1:63C06C9B1BA9F7BDF34A9D19A14282E10EE29660
SHA-256:A04691D185384E54DA71523C2E5F24BD4202B26D8F9CDBEFC4605DE39780913B
SHA-512:5C3D31BF84A05FE2B30B07D81651C48D509A1B708D7E9C361420ABD2DE90942EE067DCB0F2AF0F0A6EA41C311DB9A9E7ADD2A0B10B95F3D7A0ADC50F8029C6DD
Malicious:false
Reputation:low
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="756191" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):5.364732034538418
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • VXD Driver (31/22) 0.00%
File name:CUSTOM SHIPING DOCS.exe
File size:1651712
MD5:5533ec4c49c29a1225d1b01d38933bd4
SHA1:f3aa3401d15d44d65177ba02244c189ee1e822fb
SHA256:ed8bdc7dfb03c556a144b552517f725297acac5c046313b9f8a96432d94cdf5c
SHA512:0e25a152469a943eb9edc37a753dad54ffec54d434f2ba3d6e4d2a1a65469026ad7ad1868646bd02126488b4b37cbc9ec3b307c768d3224d3d5b9fcdc6cab39c
SSDEEP:12288:+MwYi7KvtGdcPXZig1LgO5adyneWQ8MCUIFiyS0ry90JrgV9V8+7c:+MR/vtGd6XogRgqlneWMzIJry9mrghc
File Content Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.._...............G.2...H...........`........@..........................`.............................................

File Icon

Icon Hash:0f4d494919151b03

Static PE Info

General

Entrypoint:0x540800
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x5FC88D7C [Thu Dec 3 07:02:20 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:1
OS Version Minor:0
File Version Major:1
File Version Minor:0
Subsystem Version Major:1
Subsystem Version Minor:0
Import Hash:

Entrypoint Preview

Instruction
call 00007FE118D91D95h
pop edx
sub edx, 06h
push edx
xchg ebx, ebx
xchg ecx, ecx
and ecx, ecx
nop
xchg ecx, ecx
xchg ebx, ebx
mov ebx, dword ptr fs:[00000030h]
or ecx, ecx
xchg ecx, ecx
xchg ecx, ecx
mov ebx, dword ptr [ebx+0Ch]
xchg ebx, ebx
mov ebx, dword ptr [ebx+0Ch]
mov ebx, dword ptr [ebx]
xchg ecx, ecx
xchg ebx, ebx
xchg ecx, ecx
and edx, FFFFFFFFh
mov ebx, dword ptr [ebx]
and ecx, FFFFFFFFh
and eax, eax
mov eax, dword ptr [ebx+18h]
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [eax+3Ch]
add eax, dword ptr [ebp-04h]
xchg ebx, ebx
xchg ebx, ebx
mov eax, dword ptr [eax+78h]
xchg edx, edx
add eax, dword ptr [ebp-04h]
and ecx, FFFFFFFFh
and ecx, FFFFFFFFh
mov ebx, dword ptr [eax+20h]
nop
add ebx, dword ptr [ebp-04h]
mov ecx, dword ptr [eax+1Ch]
add ecx, dword ptr [ebp-04h]
xchg ebx, ebx
and eax, eax
mov edx, dword ptr [eax+24h]
add edx, dword ptr [ebp-04h]
or ecx, ecx
push ecx
and eax, eax
mov esi, dword ptr [ebx]
or ecx, ecx
and eax, eax
and edx, FFFFFFFFh
add esi, dword ptr [ebp-04h]
and edx, FFFFFFFFh
and ebx, FFFFFFFFh
push edx
push esi
and edx, FFFFFFFFh
xchg edx, edx
call 00007FE118D91E5Ch
or ebx, ebx
or eax, eax
or eax, eax
pop edx
and edx, edx
cmp eax, 0038D13Ch
je 00007FE118D91DA3h
add ebx, 04h
add edx, 02h
jmp 00007FE118D91D56h
or eax, eax
pop ecx
and edx, edx
and ecx, ecx
xor ebx, ebx
xchg ebx, ebx
mov bx, word ptr [edx]
or edx, edx
or ecx, ecx
imul ebx, ebx, 04h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_RESOURCE0x18e0000x7e62.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x13f9ae0x13fa00False0.238771631795PE32 executable (GUI) Intel 80386, for MS Windows4.31097129452IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x1410000x7b80x800False0.623046875data5.6759037632IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x1420000x4aacf0x4ac00False0.969752691263data7.97592063341IMAGE_SCN_MEM_READ
.tls0x18d0000x7c0x200False0.052734375data0.118369631259IMAGE_SCN_MEM_READ
.rsrc0x18e0000x7e620x8000False0.276885986328data5.1412464449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x18e1440x468GLS_BINARY_LSB_FIRST
RT_ICON0x18e5ac0x10a8data
RT_ICON0x18f6540x25a8data
RT_ICON0x191bfc0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON0x195e240x3edata

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Dec 3, 2020 10:00:35.287821054 CET6511053192.168.2.38.8.8.8
Dec 3, 2020 10:00:35.398901939 CET53651108.8.8.8192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CUSTOM SHIPING DOCS.exe PID: 4856 Parent PID: 5612

General

Start time:10:00:32
Start date:03/12/2020
Path:C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe'
Imagebase:0x400000
File size:1651712 bytes
MD5 hash:5533EC4C49C29A1225D1B01D38933BD4
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: WerFault.exe PID: 6088 Parent PID: 4856

General

Start time:10:00:33
Start date:03/12/2020
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 216
Imagebase:0x10a0000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >