Analysis Report jesovROZ8A.exe

Overview

General Information

Sample Name:	jesovROZ8A.exe
Analysis ID:	346431
MD5:	039ce25d495fa555ae1c210592b564d0
SHA1:	6684d0ffde174052a03931981262dc0a7cb9891c
SHA256:	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab
Tags:	unnamed3
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: jesovROZ8A.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: jesovROZ8A.exe	Virustotal: Detection: 85%			Perma Link
Source: jesovROZ8A.exe	ReversingLabs: Detection: 100%

Machine Learning detection for sample

Source: jesovROZ8A.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: jesovROZ8A.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00401401	0_2_00401401
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00403827	0_2_00403827
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040142A	0_2_0040142A
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00401C2B	0_2_00401C2B
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040C4D3	0_2_0040C4D3
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040BCEA	0_2_0040BCEA
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040AD5F	0_2_0040AD5F
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040AD60	0_2_0040AD60
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00408116	0_2_00408116
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00417516	0_2_00417516
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040FD1C	0_2_0040FD1C
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00410528	0_2_00410528
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0042313D	0_2_0042313D
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004125CA	0_2_004125CA
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004131CC	0_2_004131CC
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004221ED	0_2_004221ED
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004065F2	0_2_004065F2
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004065F6	0_2_004065F6
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00411982	0_2_00411982
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00410DBE	0_2_00410DBE
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00413220	0_2_00413220
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00421AE6	0_2_00421AE6
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041B2F3	0_2_0041B2F3
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D684	0_2_0040D684
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D6A0	0_2_0040D6A0
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041BF43	0_2_0041BF43
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00404B50	0_2_00404B50
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00409711	0_2_00409711
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041E32C	0_2_0041E32C
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040E734	0_2_0040E734
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041CBD1	0_2_0041CBD1
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004203E1	0_2_004203E1
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040BFFB	0_2_0040BFFB
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00425FFC	0_2_00425FFC
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00407388	0_2_00407388

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 588

Sample file is different than original file name gathered from version info

Source: jesovROZ8A.exe, 00000000.00000002.206549685.0000000000446000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameChevy.exe` vs jesovROZ8A.exe
Source: jesovROZ8A.exe	Binary or memory string: OriginalFilenameChevy.exe` vs jesovROZ8A.exe

Uses 32bit PE files

Source: jesovROZ8A.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: jesovROZ8A.exe

Static PE information: Section: UPX1 ZLIB complexity 0.996900699013

Source: classification engine

Classification label: mal60.winEXE@2/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2416

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER97.tmp

Jump to behavior

Source: C:\Users\user\Desktop\jesovROZ8A.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: jesovROZ8A.exe	Virustotal: Detection: 85%
Source: jesovROZ8A.exe	ReversingLabs: Detection: 100%

Source: unknown	Process created: C:\Users\user\Desktop\jesovROZ8A.exe 'C:\Users\user\Desktop\jesovROZ8A.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 588

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D056 push ds; retf	0_2_0040D132
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00405414 push ds; retn 0000h	0_2_0040542F
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004060E9 push ecx; ret	0_2_004060EA
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00410DFE pushad ; ret	0_2_00410E01
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D5B6 push 00880000h; ret	0_2_0040D658
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004046EA pushad ; ret	0_2_004046EF
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00405EFB pushad ; ret	0_2_00405EFC
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040577F push edi; ret	0_2_0040578C

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\jesovROZ8A.exe

Process queried: DebugPort

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	346431
Product:	CloudBasic
Start time:	15:51:17
Start date:	31.01.2021
Sample:	jesovROZ8A.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	039ce25d495fa555ae1c210592b564d0
SHA1:	6684d0ffde174052a03931981262dc0a7cb9891c
SHA256:	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab
Filetype:	Win32 Executable (generic) a (10002005/4) 99.39%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_jesovROZ8A.exe_43fc5ffcbae1f11637667ee26b773884583759_76289d07_174609fe\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	90348400B8FF91427A3D8FE633406DAD	B0890BF3F5D23484AE45B77C2B2916D01DB734BF	B896514327C8A7E71B11B5A09D4C29C3A0300D34BA416416CF6E4FA8483053C2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER28C.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	3BAD7B2DBEFB569A73D48F4E1BDBE508	8573B937AC58F6F45B2ABFDE4444E5EE9D0B382B	794287A06E613B335CCBDB4141CAF7A8D2B5E3EC8B67905360FEA6DE030DBBB5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER32A.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	EE9A37A7CF7A48B561CE809E0A9FD314	7A53D5C095AE88DB6527D23ED6F1828661065825	3A7ACD8DFC4FFB86D5B8D14C837E25B5E82FCC2B699CAA7E3B5DA2EF2A1660FF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER97.tmp.dmp	Mini DuMP crash report, 14 streams, Sun Jan 31 23:52:05 2021, 0x1205a4 type	EF41E4BCD97E9BF8344AE871265D27F2	5013FCE08852EA3B415DC5B9B0F312DD1D1DDE18	FDD7E4E2E749661B7BBEB808272674283A5FA9D0E13AE47EE71D8B9E0F118D0C

Analysis Report jesovROZ8A.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

Screenshots

Behavior Graph

Network Map