Play interactive tour

Edit tour

Windows Analysis Report ilnQNBU7NA.exe

Overview

General Information

Sample Name:	ilnQNBU7NA.exe
Analysis ID:	491982
MD5:	76449275538d7041bebeeedf2ab75b1d
SHA1:	6dc592eb5c639f79e67d7e1d45b03d15c703ea08
SHA256:	bb47883b9a0e02bc3f3df2605176307900ea804ffa9698e35f93ea4909b28dbe
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Machine Learning detection for sample

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Program does not show much activity (idle)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

ilnQNBU7NA.exe (PID: 6316 cmdline: 'C:\Users\user\Desktop\ilnQNBU7NA.exe' MD5: 76449275538D7041BEBEEEDF2AB75B1D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for sample

Show sources

Source: ilnQNBU7NA.exe

Joe Sandbox ML: detected

Source: ilnQNBU7NA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: ilnQNBU7NA.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe	Code function: 1_2_0040646B FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe	Code function: 1_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe	Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,

Source: ilnQNBU7NA.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ilnQNBU7NA.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

Code function: 1_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: ilnQNBU7NA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: ilnQNBU7NA.exe, 00000001.00000000.244825608.0000000000438000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepestudio.exe2 vs ilnQNBU7NA.exe
Source: ilnQNBU7NA.exe	Binary or memory string: OriginalFilenamepestudio.exe2 vs ilnQNBU7NA.exe

Source: ilnQNBU7NA.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe	Code function: 1_2_00406945
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe	Code function: 1_2_0040711C

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

File read: C:\Users\user\Desktop\ilnQNBU7NA.exe

Jump to behavior

Source: ilnQNBU7NA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

File created: C:\Users\user\AppData\Local\Temp\nsf5E6D.tmp

Jump to behavior

Source: classification engine

Classification label: sus24.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

Code function: 1_2_0040216B CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

Code function: 1_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: ilnQNBU7NA.exe

Static file information: File size 3333764 > 1048576

Source: ilnQNBU7NA.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: ilnQNBU7NA.exe

Static PE information: real checksum: 0x502be1 should be: 0x33a921

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

Process information set: NOOPENFILEERRORBOX

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe	Code function: 1_2_0040646B FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe	Code function: 1_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe	Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ilnQNBU7NA.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Access Token Manipulation1	Access Token Manipulation1	OS Credential Dumping	File and Directory Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery4	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ilnQNBU7NA.exe	9%	ReversingLabs
ilnQNBU7NA.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.ilnQNBU7NA.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366		Download File
1.0.ilnQNBU7NA.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	ilnQNBU7NA.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	ilnQNBU7NA.exe	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491982
Start date:	28.09.2021
Start time:	08:42:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 11s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ilnQNBU7NA.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus24.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 96.5%) Quality average: 83.3% Quality standard deviation: 25%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.50.102.62, 40.112.88.60, 20.82.210.154, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information VT rate limit hit for: /opt/package/joesandbox/database/analysis/491982/sample/ilnQNBU7NA.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.982776725752498
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ilnQNBU7NA.exe
File size:	3333764
MD5:	76449275538d7041bebeeedf2ab75b1d
SHA1:	6dc592eb5c639f79e67d7e1d45b03d15c703ea08
SHA256:	bb47883b9a0e02bc3f3df2605176307900ea804ffa9698e35f93ea4909b28dbe
SHA512:	935df085c9cc9f04bb7f81051c9f23dbf6614d6a29f8fd13943caac046a3410c562bbad99bdaec50ca7cb1198ce81a9eddbedad7528793e4fb5f58ba18ce5bdc
SSDEEP:	98304:MNwTt3NIxtu9rEjIl7HTelXboTTTncIcTqHSgr+i:zxdInu5EOHTgrmPcIcGygr9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f..........H3............@

File Icon


Icon Hash:	eccce4d6d2f0a7a3

Static PE Info

General
Entrypoint:	0x403348
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F42Ch], eax
je 00007F0AC4CA8873h
push ebx
call 00007F0AC4CAB9D6h
cmp eax, ebx
je 00007F0AC4CA8869h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F0AC4CAB952h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F0AC4CA884Dh
push 0000000Bh
call 00007F0AC4CAB9AAh
push 00000009h
call 00007F0AC4CAB9A3h
push 00000007h
mov dword ptr [0042F424h], eax
call 00007F0AC4CAB997h
cmp eax, ebx
je 00007F0AC4CA8871h
push 0000001Eh
call eax
test eax, eax
je 00007F0AC4CA8869h
or byte ptr [0042F42Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429850h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x19b44	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6457	0x6600	False	0.66823682598	data	6.43498570321	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4625	data	5.26100389731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25538	0x600	False	0.463541666667	data	4.133728555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x19b44	0x19c00	False	0.330040200243	data	5.57673300046	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x382c8	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 33554432, next used block 16777216	English	United States
RT_ICON	0x48af0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4177526783, next used block 4294901760	English	United States
RT_ICON	0x4cd18	0x25a8	data	English	United States
RT_ICON	0x4f2c0	0x10a8	data	English	United States
RT_ICON	0x50368	0x988	data	English	United States
RT_ICON	0x50cf0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x51158	0x100	data	English	United States
RT_DIALOG	0x51258	0x11c	data	English	United States
RT_DIALOG	0x51374	0x60	data	English	United States
RT_GROUP_ICON	0x513d4	0x5a	data	English	United States
RT_VERSION	0x51430	0x3d4	data	English	United States
RT_MANIFEST	0x51804	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	Copyright 2009-2018 Marc Ochsenmeier
InternalName	pestudio.exe
FileVersion	8, 81, 0, 0
CompanyName	www.winitor.com
LegalTrademarks	www.winitor.com
Comments	Malware Initial Assessment
ProductName	pestudio
ProductVersion	8, 81, 0, 0
FileDescription	Malware Initial Assessment - www.winitor.com
OriginalFilename	pestudio.exe
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 08:42:53.684315920 CEST	62060	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:42:53.719696045 CEST	53	62060	8.8.8.8	192.168.2.5
Sep 28, 2021 08:43:08.279125929 CEST	61805	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:43:08.300370932 CEST	53	61805	8.8.8.8	192.168.2.5
Sep 28, 2021 08:43:25.203932047 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:43:25.237371922 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 28, 2021 08:43:42.366636038 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:43:42.398636103 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 28, 2021 08:43:59.870799065 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:43:59.890093088 CEST	53	61733	8.8.8.8	192.168.2.5
Sep 28, 2021 08:44:06.138354063 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:44:06.159024000 CEST	53	65447	8.8.8.8	192.168.2.5
Sep 28, 2021 08:44:35.627495050 CEST	52441	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:44:35.661778927 CEST	53	52441	8.8.8.8	192.168.2.5
Sep 28, 2021 08:44:37.902513981 CEST	62176	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:44:37.931077003 CEST	53	62176	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

System Behavior

Analysis Process: ilnQNBU7NA.exe PID: 6316 Parent PID: 1324

General

Start time:	08:42:58
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\ilnQNBU7NA.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ilnQNBU7NA.exe'
Imagebase:	0x400000
File size:	3333764 bytes
MD5 hash:	76449275538D7041BEBEEEDF2AB75B1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ilnQNBU7NA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

System Behavior

Analysis Process: ilnQNBU7NA.exe PID: 6316 Parent PID: 1324

General

Disassembly

Code Analysis