Windows Analysis Report ilnQNBU7NA.exe
Overview
General Information
Detection
Score: | 24 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Key value queried: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Access Token Manipulation1 | Access Token Manipulation1 | OS Credential Dumping | File and Directory Discovery2 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | System Shutdown/Reboot1 |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | System Information Discovery4 | Remote Desktop Protocol | Clipboard Data1 | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
9% | ReversingLabs | |||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1130366 | Download File | ||
100% | Avira | HEUR/AGEN.1130366 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 491982 |
Start date: | 28.09.2021 |
Start time: | 08:42:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 11s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | ilnQNBU7NA.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 22 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | SUS |
Classification: | sus24.winEXE@1/0@0/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.982776725752498 |
TrID: |
|
File name: | ilnQNBU7NA.exe |
File size: | 3333764 |
MD5: | 76449275538d7041bebeeedf2ab75b1d |
SHA1: | 6dc592eb5c639f79e67d7e1d45b03d15c703ea08 |
SHA256: | bb47883b9a0e02bc3f3df2605176307900ea804ffa9698e35f93ea4909b28dbe |
SHA512: | 935df085c9cc9f04bb7f81051c9f23dbf6614d6a29f8fd13943caac046a3410c562bbad99bdaec50ca7cb1198ce81a9eddbedad7528793e4fb5f58ba18ce5bdc |
SSDEEP: | 98304:MNwTt3NIxtu9rEjIl7HTelXboTTTncIcTqHSgr+i:zxdInu5EOHTgrmPcIcGygr9 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f..........H3............@ |
File Icon |
---|
Icon Hash: | eccce4d6d2f0a7a3 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x403348 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | ced282d9b261d1462772017fe2f6972b |
Entrypoint Preview |
---|
Instruction |
---|
sub esp, 00000184h |
push ebx |
push esi |
push edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 0040A198h |
mov dword ptr [esp+20h], ebx |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [004080B8h] |
call dword ptr [004080BCh] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042F42Ch], eax |
je 00007F0AC4CA8873h |
push ebx |
call 00007F0AC4CAB9D6h |
cmp eax, ebx |
je 00007F0AC4CA8869h |
push 00000C00h |
call eax |
mov esi, 004082A0h |
push esi |
call 00007F0AC4CAB952h |
push esi |
call dword ptr [004080CCh] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], bl |
jne 00007F0AC4CA884Dh |
push 0000000Bh |
call 00007F0AC4CAB9AAh |
push 00000009h |
call 00007F0AC4CAB9A3h |
push 00000007h |
mov dword ptr [0042F424h], eax |
call 00007F0AC4CAB997h |
cmp eax, ebx |
je 00007F0AC4CA8871h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F0AC4CA8869h |
or byte ptr [0042F42Fh], 00000040h |
push ebp |
call dword ptr [00408038h] |
push ebx |
call dword ptr [00408288h] |
mov dword ptr [0042F4F8h], eax |
push ebx |
lea eax, dword ptr [esp+38h] |
push 00000160h |
push eax |
push ebx |
push 00429850h |
call dword ptr [0040816Ch] |
push 0040A188h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8544 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x38000 | 0x19b44 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x29c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6457 | 0x6600 | False | 0.66823682598 | data | 6.43498570321 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1380 | 0x1400 | False | 0.4625 | data | 5.26100389731 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x25538 | 0x600 | False | 0.463541666667 | data | 4.133728555 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.ndata | 0x30000 | 0x8000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x38000 | 0x19b44 | 0x19c00 | False | 0.330040200243 | data | 5.57673300046 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x382c8 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 33554432, next used block 16777216 | English | United States |
RT_ICON | 0x48af0 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4177526783, next used block 4294901760 | English | United States |
RT_ICON | 0x4cd18 | 0x25a8 | data | English | United States |
RT_ICON | 0x4f2c0 | 0x10a8 | data | English | United States |
RT_ICON | 0x50368 | 0x988 | data | English | United States |
RT_ICON | 0x50cf0 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_DIALOG | 0x51158 | 0x100 | data | English | United States |
RT_DIALOG | 0x51258 | 0x11c | data | English | United States |
RT_DIALOG | 0x51374 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x513d4 | 0x5a | data | English | United States |
RT_VERSION | 0x51430 | 0x3d4 | data | English | United States |
RT_MANIFEST | 0x51804 | 0x340 | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
ADVAPI32.dll | RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA |
SHELL32.dll | SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA |
ole32.dll | IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree |
COMCTL32.dll | ImageList_Create, ImageList_Destroy, ImageList_AddMasked |
USER32.dll | SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard |
GDI32.dll | SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject |
KERNEL32.dll | GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright 2009-2018 Marc Ochsenmeier |
InternalName | pestudio.exe |
FileVersion | 8, 81, 0, 0 |
CompanyName | www.winitor.com |
LegalTrademarks | www.winitor.com |
Comments | Malware Initial Assessment |
ProductName | pestudio |
ProductVersion | 8, 81, 0, 0 |
FileDescription | Malware Initial Assessment - www.winitor.com |
OriginalFilename | pestudio.exe |
Translation | 0x0000 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 28, 2021 08:42:53.684315920 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 28, 2021 08:42:53.719696045 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
Sep 28, 2021 08:43:08.279125929 CEST | 61805 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 28, 2021 08:43:08.300370932 CEST | 53 | 61805 | 8.8.8.8 | 192.168.2.5 |
Sep 28, 2021 08:43:25.203932047 CEST | 54795 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 28, 2021 08:43:25.237371922 CEST | 53 | 54795 | 8.8.8.8 | 192.168.2.5 |
Sep 28, 2021 08:43:42.366636038 CEST | 49557 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 28, 2021 08:43:42.398636103 CEST | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
Sep 28, 2021 08:43:59.870799065 CEST | 61733 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 28, 2021 08:43:59.890093088 CEST | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
Sep 28, 2021 08:44:06.138354063 CEST | 65447 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 28, 2021 08:44:06.159024000 CEST | 53 | 65447 | 8.8.8.8 | 192.168.2.5 |
Sep 28, 2021 08:44:35.627495050 CEST | 52441 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 28, 2021 08:44:35.661778927 CEST | 53 | 52441 | 8.8.8.8 | 192.168.2.5 |
Sep 28, 2021 08:44:37.902513981 CEST | 62176 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 28, 2021 08:44:37.931077003 CEST | 53 | 62176 | 8.8.8.8 | 192.168.2.5 |
Code Manipulations |
---|
Statistics |
---|
System Behavior |
---|
General |
---|
Start time: | 08:42:58 |
Start date: | 28/09/2021 |
Path: | C:\Users\user\Desktop\ilnQNBU7NA.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 3333764 bytes |
MD5 hash: | 76449275538D7041BEBEEEDF2AB75B1D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|