Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report coreupdater.exe

Overview

General Information

Sample Name:coreupdater.exe
Analysis ID:398583
MD5:eed41b4500e473f97c50c7385ef5e374
SHA1:fd153c66386ca93ec9993d66a84d6f0d129a3a5c
SHA256:10f3b92002bb98467334161cf85d0b1730851f9256f83c27db125e9a0c1cfda6
Infos:

Most interesting Screenshot:

Detection

Metasploit
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Entry point lies outside standard sections
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

Startup

  • System is w10x64
  • coreupdater.exe (PID: 6948 cmdline: 'C:\Users\user\Desktop\coreupdater.exe' MD5: EED41B4500E473F97C50C7385EF5E374)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
coreupdater.exeJoeSecurity_MetasploitPayload_2Yara detected Metasploit PayloadJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: coreupdater.exeAvira: detected
    Multi AV Scanner detection for submitted fileShow sources
    Source: coreupdater.exeVirustotal: Detection: 68%Perma Link
    Source: coreupdater.exeReversingLabs: Detection: 86%
    Machine Learning detection for sampleShow sources
    Source: coreupdater.exeJoe Sandbox ML: detected
    Source: 0.2.coreupdater.exe.140000000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
    Source: 0.0.coreupdater.exe.140000000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
    Source: Joe Sandbox ViewIP Address: 203.78.103.109 203.78.103.109
    Source: unknownTCP traffic detected without corresponding DNS query: 203.78.103.109
    Source: unknownTCP traffic detected without corresponding DNS query: 203.78.103.109
    Source: unknownTCP traffic detected without corresponding DNS query: 203.78.103.109
    Source: unknownTCP traffic detected without corresponding DNS query: 203.78.103.109
    Source: C:\Users\user\Desktop\coreupdater.exeCode function: 0_2_00000001400040FD LoadLibraryA,WSAStartup,WSASocketA,connect,recv,closesocket,0_2_00000001400040FD
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
    Source: classification engineClassification label: mal68.troj.winEXE@1/0@0/1
    Source: C:\Users\user\Desktop\coreupdater.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: coreupdater.exeVirustotal: Detection: 68%
    Source: coreupdater.exeReversingLabs: Detection: 86%
    Source: coreupdater.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: initial sampleStatic PE information: section where entry point is pointing to: .lhru
    Source: coreupdater.exeStatic PE information: real checksum: 0x8596 should be: 0x874e
    Source: coreupdater.exeStatic PE information: section name: .lhru
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: coreupdater.exe, 00000000.00000002.902871142.000000000049B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Remote Access Functionality:

    barindex
    Yara detected Metasploit PayloadShow sources
    Source: Yara matchFile source: coreupdater.exe, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionSoftware Packing1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    coreupdater.exe69%VirustotalBrowse
    coreupdater.exe86%ReversingLabsWin64.Backdoor.Meterpreter
    coreupdater.exe100%AviraTR/Crypt.XPACK.Gen7
    coreupdater.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    0.2.coreupdater.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
    0.0.coreupdater.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    203.78.103.109
    		unknownThailand
    		18362NETWAY-AS-APNetwayCommunicationCoLtdTHfalse

    General Information

    Joe Sandbox Version:31.0.0 Emerald
    Analysis ID:398583
    Start date:27.04.2021
    Start time:18:11:31
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 4m 10s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:coreupdater.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:17
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.troj.winEXE@1/0@0/1
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 100% (good quality ratio 50%)
    • Quality average: 25.5%
    • Quality standard deviation: 25.5%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    203.78.103.109coreupdater.exeGet hashmaliciousBrowse
      coreupdater.exeGet hashmaliciousBrowse
        coreupdater.exeGet hashmaliciousBrowse
          coreupdater.exeGet hashmaliciousBrowse
            coreupdater.exeGet hashmaliciousBrowse
              coreupdater.exeGet hashmaliciousBrowse

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                NETWAY-AS-APNetwayCommunicationCoLtdTHcoreupdater.exeGet hashmaliciousBrowse
                • 203.78.103.109
                coreupdater.exeGet hashmaliciousBrowse
                • 203.78.103.109
                coreupdater.exeGet hashmaliciousBrowse
                • 203.78.103.109
                coreupdater.exeGet hashmaliciousBrowse
                • 203.78.103.109
                coreupdater.exeGet hashmaliciousBrowse
                • 203.78.103.109
                coreupdater.exeGet hashmaliciousBrowse
                • 203.78.103.109
                coreupdater.exeGet hashmaliciousBrowse
                • 203.78.103.109
                qevRktR4diBlxL7.exeGet hashmaliciousBrowse
                • 203.78.104.33
                PO72920.exeGet hashmaliciousBrowse
                • 203.78.107.126

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32+ executable (GUI) x86-64, for MS Windows
                Entropy (8bit):1.5023004512656497
                TrID:
                • Win64 Executable GUI (202006/5) 92.65%
                • Win64 Executable (generic) (12005/4) 5.51%
                • Generic Win/DOS Executable (2004/3) 0.92%
                • DOS Executable Generic (2002/1) 0.92%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:coreupdater.exe
                File size:7168
                MD5:eed41b4500e473f97c50c7385ef5e374
                SHA1:fd153c66386ca93ec9993d66a84d6f0d129a3a5c
                SHA256:10f3b92002bb98467334161cf85d0b1730851f9256f83c27db125e9a0c1cfda6
                SHA512:b8f9a4e0de32cb2ab17c84091ccc61a16197ac5726513b7214a28af83c7a04326836c3980db426905b783daddf8951bcd60864aa3c088d0d98a63544825251da
                SSDEEP:24:eFGStrJ9u0/6ZAGnZd0BQAVs2Pb85n8acX3bTJBm2uJ65OxCLYk9fpmB:is0je0BQx2Pbqn8LHCJ65+CR9sB
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9$..}E..}E..}E..Z...~E..}E~..E..t=..|E..t=..|E..Rich}E..................PE..d...}<.K..........#......0...........@.........@...

                File Icon

                Icon Hash:00828e8e8686b000

                Static PE Info

                General

                Entrypoint:0x140004000
                Entrypoint Section:.lhru
                Digitally signed:false
                Imagebase:0x140000000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
                DLL Characteristics:TERMINAL_SERVER_AWARE
                Time Stamp:0x4BC63C7D [Wed Apr 14 22:06:53 2010 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:b4c6fff030479aa3b12625be67bf4914

                Entrypoint Preview

                Instruction
                dec eax
                xor ecx, ecx
                dec eax
                sub ecx, FFFFFFC0h
                dec eax
                lea eax, dword ptr [FFFFFFEFh]
                dec eax
                mov ebx, 63771DFAh
                xchg eax, ebp
                push ds
                ror dword ptr [eax+31h], 1
                pop eax
                daa
                dec eax
                sub eax, FFFFFFF8h
                loop 00007F5E90A93156h
                push es
                push ebp
                hlt
                xchg esi, eax
                jnl 00007F5E90A93134h
                sar edx, 1
                sbb eax, C5773236h
                dec esp
                sub byte ptr [ebp+edx*2-22AC4EBAh], FFFFFF95h
                sbb dword ptr [edx+2E31FC55h], FFFFFFDDh
                xchg eax, ebp
                sbb edx, 55h
                cld
                adc dword ptr [esi-23h], esp
                adc dword ptr [esi-50h], esp
                push edi
                cmp dl, byte ptr [edx-01h]

                Rich Headers

                Programming Language:
                • [IMP] VS2005 build 50727
                • [LNK] VS2008 SP1 build 30729
                • [ASM] VS2008 SP1 build 30729

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x42280x6c.lhru
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x42980x8.lhru
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x30000x18.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x104e0x1200False0.025390625data0.168100494025IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rdata0x30000x840x200False0.15625data0.963086734599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .lhru0x40000x2a00x400False0.630859375data5.27184729098IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                Imports

                DLLImport
                KERNEL32.dllVirtualAlloc, ExitProcess

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 27, 2021 18:12:14.702913046 CEST49726443192.168.2.4203.78.103.109
                Apr 27, 2021 18:12:15.132515907 CEST44349726203.78.103.109192.168.2.4
                Apr 27, 2021 18:12:15.132766962 CEST49726443192.168.2.4203.78.103.109
                Apr 27, 2021 18:14:12.642050028 CEST44349726203.78.103.109192.168.2.4
                Apr 27, 2021 18:14:12.643842936 CEST49769443192.168.2.4203.78.103.109
                Apr 27, 2021 18:14:12.973098993 CEST44349769203.78.103.109192.168.2.4
                Apr 27, 2021 18:14:12.973440886 CEST49769443192.168.2.4203.78.103.109

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                Analysis Process: coreupdater.exe PID: 6948 Parent PID: 5864

                General

                Start time:18:12:14
                Start date:27/04/2021
                Path:C:\Users\user\Desktop\coreupdater.exe
                Wow64 process (32bit):false
                Commandline:'C:\Users\user\Desktop\coreupdater.exe'
                Imagebase:0x140000000
                File size:7168 bytes
                MD5 hash:EED41B4500E473F97C50C7385EF5E374
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                Chronological Activities

                Disassembly

                Code Analysis

                Reset < >

                  Analysis Process: coreupdater.exe PID: 6948 Parent PID: 5864 coreupdater.exeCOMMON

                  Execution Graph

                  Execution Coverage:45.1%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:77.8%
                  Total number of Nodes:9
                  Total number of Limit Nodes:2

                  Graph

                  execution_graph 34 140004000 35 14000401b 34->35 35->35 38 1400040fd LoadLibraryA WSAStartup 35->38 39 140004146 WSASocketA 38->39 40 140004165 connect 39->40 41 140004185 recv 40->41 43 14000417b 40->43 42 1400041f8 closesocket 41->42 41->43 42->39 43->40 43->41 43->42 44 140004215 43->44 44->44

                  Callgraph

                  • Executed
                  • Not Executed
                  • Opacity -> Relevance
                  • Disassembly available
                  callgraph 0 Function_00000001400040FD 1 Function_0000000140004000 1->0

                  Executed Functions

                  Function 00000001400040FD, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92networklibraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.903003152.0000000140004000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                  • Associated: 00000000.00000002.902993994.0000000140000000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_140000000_coreupdater.jbxd
                  Similarity
                  • API ID: LibraryLoadSocketStartupclosesocketconnectrecv
                  • String ID: unMa$ws2_32
                  • API String ID: 3143952708-2325342229
                  • Opcode ID: e0bc243e3ece973aafce17a10db08446549acb4de04a9cf65ddec8ad0dde3452
                  • Instruction ID: 0eb5a51088fb32553ad0377e79a2f18065261e7ce6dd6a858750634258cf552b
                  • Opcode Fuzzy Hash: e0bc243e3ece973aafce17a10db08446549acb4de04a9cf65ddec8ad0dde3452
                  • Instruction Fuzzy Hash: 0E2108E275515828F927A2A33D57FF544456B29FE0F5840207F1E4F7D6DC68C6C2411D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions