Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SignerLib.exe

Overview

General Information

Sample Name:SignerLib.exe
Analysis ID:441008
MD5:796b3e4674b68b33c906ce32c3275d83
SHA1:af8dc103b73c194816743ee22023a3cee934ac54
SHA256:afb5cbe324865253c7a9dcadbe66c66746ea360f0cd184a2f4e1bbf104533ccd
Infos:

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found potential dummy code loops (likely to delay analysis)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
PE file contains strange resources
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • SignerLib.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\SignerLib.exe' MD5: 796B3E4674B68B33C906CE32C3275D83)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: SignerLib.exeVirustotal: Detection: 15%Perma Link
Source: SignerLib.exeReversingLabs: Detection: 17%
Source: 0.0.SignerLib.exe.1220000.0.unpackAvira: Label: TR/ATRAPS.Gen4
Source: SignerLib.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: C:\Users\user\Desktop\SignerLib.exeProcess Stats: CPU usage > 98%
Source: SignerLib.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SignerLib.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: classification engineClassification label: mal52.evad.winEXE@1/0@0/0
Source: SignerLib.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SignerLib.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SignerLib.exeVirustotal: Detection: 15%
Source: SignerLib.exeReversingLabs: Detection: 17%
Source: SignerLib.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SignerLib.exeStatic file information: File size 7115776 > 1048576
Source: SignerLib.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x6bc400
Source: SignerLib.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SignerLib.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SignerLib.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SignerLib.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SignerLib.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SignerLib.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SignerLib.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SignerLib.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SignerLib.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SignerLib.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SignerLib.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SignerLib.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)Show sources
Source: C:\Users\user\Desktop\SignerLib.exeProcess Stats: CPU usage > 90% for more than 60s
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SignerLib.exeMemory allocated: page read and write | page guardJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionVirtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.