Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report VZghv7yI7g.exe

Overview

General Information

Sample Name:VZghv7yI7g.exe
Analysis ID:450819
MD5:73bb5c4b690b8d6df88d6bc18fb3a553
SHA1:60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256:a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • VZghv7yI7g.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\VZghv7yI7g.exe' MD5: 73BB5C4B690B8D6DF88D6BC18FB3A553)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: VZghv7yI7g.exeVirustotal: Detection: 29%Perma Link
Source: VZghv7yI7g.exeReversingLabs: Detection: 13%
Source: VZghv7yI7g.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_004092BC
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C329
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CEAA
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C6B4
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CEE6
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CAD7
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DE3B
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C665
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C7B8
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DBBF
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DB8F
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CF87
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DF14
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CB63
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CB72
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DB55
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C8CA
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DCC7
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8E033
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C816
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C9C1
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C5DB
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DD3B
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C90C
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DD07
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C563
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C567
Source: VZghv7yI7g.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VZghv7yI7g.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VZghv7yI7g.exe, 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
Source: VZghv7yI7g.exe, 00000000.00000002.826092877.0000000002920000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs VZghv7yI7g.exe
Source: VZghv7yI7g.exeBinary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
Source: VZghv7yI7g.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engineClassification label: mal60.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\VZghv7yI7g.exeFile created: C:\Users\user\AppData\Local\Temp\~DFEB0EEF351A7A5910.TMPJump to behavior
Source: VZghv7yI7g.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\VZghv7yI7g.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\Desktop\VZghv7yI7g.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: VZghv7yI7g.exeVirustotal: Detection: 29%
Source: VZghv7yI7g.exeReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0040C06E push 00000000h; retf
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_00406625 push ebp; iretd
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8E73F push edi; ret
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8D1F3 push FFFFFFB9h; retf
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8D1CB push FFFFFFB9h; retf
Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
Source: C:\Users\user\Desktop\VZghv7yI7g.exeRDTSC instruction interceptor: First address: 0000000002A8E352 second address: 0000000002A8E352 instructions:
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\VZghv7yI7g.exeRDTSC instruction interceptor: First address: 0000000002A8E352 second address: 0000000002A8E352 instructions:
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CEAA rdtsc
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)Show sources
Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess Stats: CPU usage > 90% for more than 60s
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CEAA rdtsc
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C5DB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C563 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C567 mov eax, dword ptr fs:[00000030h]
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CD39 cpuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionVirtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery211SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
VZghv7yI7g.exe30%VirustotalBrowse
VZghv7yI7g.exe13%ReversingLabsWin32.Backdoor.Remcos

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:450819
Start date:19.07.2021
Start time:18:43:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 18s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:VZghv7yI7g.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 60.9% (good quality ratio 25.5%)
  • Quality average: 22.8%
  • Quality standard deviation: 31.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.2221702126738
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.15%
  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:VZghv7yI7g.exe
File size:241664
MD5:73bb5c4b690b8d6df88d6bc18fb3a553
SHA1:60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256:a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
SHA512:9c023dc66d9bcfb2f5bc0274001d92948ac058fc8765d2178907dfd8fb9885ede57acc3836d583ad97516dce1a97c50f081800b41a1f42ea938efb8b23e87567
SSDEEP:3072:+3BepJlZa/xao5JKwI7V4R4iUW/qcijw2HJlZapGBR:EiUIo5JKPgU99vHP
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...WS.N................. ...................0....@................

File Icon

Icon Hash:f8fcd4ccf4e4e8d0

Static PE Info

General

Entrypoint:0x4019b0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x4EA15357 [Fri Oct 21 11:11:19 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:e9f7dd0da1a2a1266893e1ae4ef42b67

Entrypoint Preview

Instruction
push 00408AA0h
call 00007F93148FE125h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
outsd
mul byte ptr [ebx+3Fh]
dec esi
outsb
and al, 41h
mov bl, 08h
popad
pop ds
test al, CEh
xchg eax, esi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 56h
jne 00007F93148FE1A4h
cmp dword ptr fs:[eax], eax
add al, byte ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
xor esp, esp
push cs
xchg eax, edx
test eax, 48C3D75Ah
mov gs, bx
test al, CAh
xor esp, esp
xor al, 88h
jecxz 00007F93148FE15Ah
scasb
and dword ptr [edi-40B94528h], 28h
cmp dword ptr [edx-38D0AA14h], edi
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
out 6Fh, eax
add byte ptr [eax], al
lea ebp, dword ptr [eax+00h]
add byte ptr [eax], al
add al, 00h
jnc 00007F93148FE19Ah
add byte ptr [41000401h], cl
jc 00007F93148FE199h
jne 00007F93148FE132h
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al
and al, byte ptr [ecx]
and ecx, dword ptr [esi+68h]
add byte ptr [eax], al
insb

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x322340x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x6d0a.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a4.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x318a40x32000False0.39177734375data6.3764832494IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x330000x12900x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x350000x6d0a0x7000False0.481689453125data5.46300019784IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x3ae620xea8data
RT_ICON0x3a5ba0x8a8data
RT_ICON0x39ef20x6c8data
RT_ICON0x3998a0x568GLS_BINARY_LSB_FIRST
RT_ICON0x373e20x25a8dBase III DBT, version number 0, next free block index 40
RT_ICON0x3633a0x10a8data
RT_ICON0x359b20x988data
RT_ICON0x3554a0x468GLS_BINARY_LSB_FIRST
RT_GROUP_ICON0x354d40x76data
RT_VERSION0x352400x294dataEnglishUnited States

Imports

DLLImport
MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

DescriptionData
Translation0x0409 0x04b0
LegalCopyrightSocialbakers
InternalNameIndtr8
FileVersion1.00
CompanyNameSocialbakers
LegalTrademarksSocialbakers
ProductNameVurd9
ProductVersion1.00
OriginalFilenameIndtr8.exe

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: VZghv7yI7g.exe PID: 6992 Parent PID: 5956

General

Start time:18:44:02
Start date:19/07/2021
Path:C:\Users\user\Desktop\VZghv7yI7g.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\VZghv7yI7g.exe'
Imagebase:0x400000
File size:241664 bytes
MD5 hash:73BB5C4B690B8D6DF88D6BC18FB3A553
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Visual Basic
Reputation:low

Disassembly

Code Analysis

Reset < >