Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh

Overview

General Information

Sample Name:NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Analysis ID:482886
MD5:b71a9e479123528ba6f7b8642b924d0e
SHA1:5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256:1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found inlined nop instructions (likely shell or obfuscated code)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • unarchiver.exe (PID: 2172 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
    • 7za.exe (PID: 5036 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhVirustotal: Detection: 14%Perma Link
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhReversingLabs: Detection: 39%
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 055D099Bh
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 055D099Ah
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_055D02A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_055D0299
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhVirustotal: Detection: 14%
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhReversingLabs: Detection: 39%
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\103b5ifs.cxqJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: classification engineClassification label: mal48.winLZH@3/1@0/0
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guard
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmpBinary or memory string: Progman
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Disable or Modify Tools1OS Credential DumpingProcess Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482886 Sample: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh Startdate: 14/09/2021 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 unarchiver.exe 5 2->6         started        process3 process4 8 7za.exe 6->8         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh14%VirustotalBrowse
NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh40%ReversingLabsWin32.Backdoor.Androm

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:482886
Start date:14.09.2021
Start time:09:50:53
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 33s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:37
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winLZH@3/1@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .lzh
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\103b5ifs.cxq\unarchiver.log
Process:C:\Windows\SysWOW64\unarchiver.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):164
Entropy (8bit):5.281035011969486
Encrypted:false
SSDEEP:3:t9tIoC1OUfuWDUWJRWrfj6MwkZJsmo6OKUsttIoDoF8UWWDUkh4E2J5xAIhKh+Ry:moDU1NJAbj6qsD9oDu1923fu
MD5:46A89269107BA94195D3A2A20DFFAA9A
SHA1:532B3843A26A4B771791FD3852C7655674475A08
SHA-256:2B3BB182ED50A9ED2B11634E5302EEA3DE5DD87C0ED0224F10159640950457CB
SHA-512:042A8AC300009739B2F2FA258095A128B96AE6ECE6B04E6107E75B0889A6DC5F5AD8CCBB97228DBE6C18F4BB7C45ED9B4241C3B070412302D3B3F588DACB9D61
Malicious:false
Reputation:low
Preview: 09/14/2021 9:51 AM: Unpack: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh..09/14/2021 9:51 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\zdsmcxok.014..

Static File Info

General

File type: LHa (2.x) archive data [lh5], with "NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe"
Entropy (8bit):7.983327494950816
TrID:
  • LHARC/LZARK compressed archive (6/4) 100.00%
File name:NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
File size:107136
MD5:b71a9e479123528ba6f7b8642b924d0e
SHA1:5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256:1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
SHA512:ba6f16107c9a944ca2c62b419ff29933caad97650f4482102f92c364d95d52282710a2882723785373035e79828e56f98aee69f0f280b81c9cecbe103e7dbcde
SSDEEP:3072:dVlHrjorhU1+isBSk4x1DdS3sdP2hxhBpimq:9r8U+94x1Z2s1qxPY
File Content Preview:6.-lh5-H....0....-S . NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe..^.........]..x........2.Z....R..Z*T..R....f.......P..2j.IEU..HQU$........}........=.....y...{..|.'.;.....@....#m.3<E......=.....5...e..|..k..U....x.N...%..i..B..AC.5c@i ..".......6..c...j. t.........

File Icon

Icon Hash:00828e8e8686b000

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: unarchiver.exe PID: 2172 Parent PID: 1576

General

Start time:09:51:55
Start date:14/09/2021
Path:C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):true
Commandline:'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Imagebase:0xe20000
File size:10240 bytes
MD5 hash:DB55139D9DD29F24AE8EA8F0E5606901
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:moderate

Analysis Process: 7za.exe PID: 5036 Parent PID: 2172

General

Start time:09:51:56
Start date:14/09/2021
Path:C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):true
Commandline:'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Imagebase:0x230000
File size:289792 bytes
MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >